topic Re: Graph displays incorrectly with timechart function in Splunk Enterprise Security

Graph displays incorrectly with timechart function

Hegemon76 — Tue, 10 Apr 2018 23:06:07 GMT

Here is my search string:

I have the corresponding XML but it isn't letting me post it. It works....all the colors work.

These two are correct in terms of what I'm going for however when the visualization displays there is a count "bar" that corresponds directly to the other bars come out to. All I wanted to do was have a chart with different colors than blue to distinguish data by week but it seems like this is impossible based on everything I've read. You have to use timechart and timechart seems to only display data with a count field that makes the whole thing look like trash.

Any help would be great!

Thanks

Re: Graph displays incorrectly with timechart function

niketn — Wed, 11 Apr 2018 05:55:13 GMT

@Hegemon76 can you post code using code button i.e. button with 101010 on it (shortcut is CTRL+K). Also if possible can you upload screen mock up of what you have and what is the issue? You can upload to any image sharing site and then post the image link using Image button (Shortcut Ctrl+G).

Re: Graph displays incorrectly with timechart function

niketn — Tue, 29 Sep 2020 18:58:31 GMT

@Hegemon76, please try out the following run anywhere search example based on Splunk's _internal index. You can change | bin _time span=1w and | eval _time=strptime(strftime(_time,"%Y/%m/%d"),"%Y/%m/%d") as per your need.

index=_internal sourcetype=splunkd log_level!=INFO 
| bin _time span=1h 
| stats count by _time 
| eval Status=case(count>25,"Severe",
    count<=25 AND count>20,"High",
    count<=20 AND count>15,"Moderate",
    count<=15 AND count>7,"Low",
    count<=7 AND count>0,"Very Low",
    true(), 0) 
| timechart span="1h" sum(count) as Count by Status 
| eval _time=strptime(strftime(_time,"%Y/%m/%d %H"),"%Y/%m/%d %H")
| fillnull value=0

Re: Graph displays incorrectly with timechart function

Hegemon76 — Wed, 11 Apr 2018 16:28:10 GMT

{"Severe":0xFF0000,"High":0xff8000,"Moderate":0xFFFF00,"Low":0x00FF00,"Very Low":0x0000ff}

Re: Graph displays incorrectly with timechart function

Hegemon76 — Wed, 11 Apr 2018 16:31:52 GMT

I need more karma points to post images.

😞

Re: Graph displays incorrectly with timechart function

Hegemon76 — Tue, 29 Sep 2020 18:58:43 GMT

So it works! This is great! Thanks niketnilay

However.....

How can I increase the size of the horizontal bar chart lines (or vertical the type of chart doesn't matter) ? Keep in mind I changed your script to this:

product=Windows EventCode=645 OR EventCode=4741
| bin _time span=1w
| stats count by _time
| eval Status=case(count>25,"Severe",
count<=25 AND count>20,"High",
count<=20 AND count>15,"Moderate",
count<=15 AND count>7,"Low",
count<=7 AND count>0,"Very Low",
true(), 0)
| timechart span="1h" sum(count) as Count by Status
| eval _time=strptime(strftime(_time,"%Y/%m/%d"),"%Y/%m/%d")
| fillnull value=0

The lines are incredibly small now (graphically) and clicking "format virtualization" to stacked or non stack doesn't do anything anymore. One issue begets another is seems.

Re: Graph displays incorrectly with timechart function

niketn — Wed, 11 Apr 2018 17:01:51 GMT

That is because you missed out changing span="1w" inside timechart command.

| timechart span="1w" sum(count) as Count by Status

Just FYI, for posting Image, you can upload the same to any image sharing site and then use the link using Image Button Ctrl+G.

Re: Graph displays incorrectly with timechart function

Hegemon76 — Wed, 11 Apr 2018 17:06:47 GMT

Ya I tried that and it just says I don't have enough karma.

Simple fix made the chart work. This is great thanks! I'm curious what removed the "count" part though?

Was is the "|fillnull value=0" or the entirety of what you did. That was driving me nuts for around 2 days trying to figure this out.

Re: Graph displays incorrectly with timechart function

niketn — Wed, 11 Apr 2018 17:13:45 GMT

The timechart command with split by Status field generates the count of Status and names the fields as the Status Name ie Low, Moderate etc. So there is not Count field.

fillnull just fills 0 instead of null to represent numeric data in graph.

Glad you found your solution. Do up vote the comments that helped 🙂

I am surprise that Link can not be attached. Are you sure you are not trying to use the Attachment button Ctrl+U which looks like a Paper Clip, as that is restricted by Karma points. In any case you can also directly paste the link of image sharing site where the image is uploaded just in case.

Have a great day ahead!

Re: Graph displays incorrectly with timechart function

Hegemon76 — Wed, 11 Apr 2018 17:22:23 GMT

Thanks for your help!

Re: Graph displays incorrectly with timechart function

Hegemon76 — Wed, 11 Apr 2018 21:27:18 GMT

I probably need to open a new question but that doesn't work for stats count or chart count.