https://community.splunk.com/t5/Dashboards-Visualizations/Show-two-timecharts-in-one-dashboard-panel/m-p/74133#M3984 <P>I'm trying to turn Splunk into my own custom IDS based on the data dumping in from Palo Alto. Right now I have a search that throws back a timechart of the top internal IPs...</P> <PRE><CODE>sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f </CODE></PRE> <P>That works fantastically. Shows me the top 10 IPs throwing high or critical threat traffic. However, I want to correlate a baseline into it using the trendline command. However, I can't figure out how / where to throw the trendline command to get the desired effect of the trendline overlaying the existing chart. I also don't know how to throw the "period" field, as I don't know what the integer represents. (Seconds? Minutes? Something completely different that won't automatically correlate with time? Can I just throw a command in there for it to find the search window and automatically use that?) However, even when using the following code, it doesn't change my chart at all (threw 5 in there for testing purposes).</P> <PRE><CODE>sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f | trendline sma5(count) </CODE></PRE> <P>Anyone familiar with this usage that can give me a little advice? I'm far from a RegEx Guru, but if building this IDS myself without XML Edit access has taught me anything, it's the inner workings of RegEx.</P> <P>-Travis</P> Thu, 26 Sep 2013 15:17:43 GMT tfitzgerald15 2013-09-26T15:17:43Z https://community.splunk.com/t5/Dashboards-Visualizations/Show-two-timecharts-in-one-dashboard-panel/m-p/74133#M3984 <P>I'm trying to turn Splunk into my own custom IDS based on the data dumping in from Palo Alto. Right now I have a search that throws back a timechart of the top internal IPs...</P> <PRE><CODE>sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f </CODE></PRE> <P>That works fantastically. Shows me the top 10 IPs throwing high or critical threat traffic. However, I want to correlate a baseline into it using the trendline command. However, I can't figure out how / where to throw the trendline command to get the desired effect of the trendline overlaying the existing chart. I also don't know how to throw the "period" field, as I don't know what the integer represents. (Seconds? Minutes? Something completely different that won't automatically correlate with time? Can I just throw a command in there for it to find the search window and automatically use that?) However, even when using the following code, it doesn't change my chart at all (threw 5 in there for testing purposes).</P> <PRE><CODE>sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f | trendline sma5(count) </CODE></PRE> <P>Anyone familiar with this usage that can give me a little advice? I'm far from a RegEx Guru, but if building this IDS myself without XML Edit access has taught me anything, it's the inner workings of RegEx.</P> <P>-Travis</P> Thu, 26 Sep 2013 15:17:43 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Show-two-timecharts-in-one-dashboard-panel/m-p/74133#M3984 tfitzgerald15 2013-09-26T15:17:43Z https://community.splunk.com/t5/Dashboards-Visualizations/Show-two-timecharts-in-one-dashboard-panel/m-p/74134#M3985 <P>The problem is that your timechart returns result in a table like :<BR /> _time ip1 ip2 ip3<BR /> 2013-09-26 11:00:00 valueA valueB valueC<BR /> 2013-09-26 11:10:00 valueA valueB valueC<BR /> etc...</P> <P>and your trendline function is looking for a "count" field that doesn't exits anymore ( it has the name of the frp_ip instead)</P> <P>You could do a specific trendline for a precise ip only.</P> <P>Or use a general trendline over the total values</P> <P><CODE>sourcetype="pan_threat" log_subtype="spyware" (severity="high" OR "critical") | eval frp_ip=if(dst_zone="trust", dst_ip, src_ip) | timechart count by frp_ip useother=f | addtotals | trendline sma5(Total)</CODE></P> Thu, 26 Sep 2013 19:24:30 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Show-two-timecharts-in-one-dashboard-panel/m-p/74134#M3985 yannK 2013-09-26T19:24:30Z