topic timechart - how to work with timechart and stats count by in Dashboards & Visualizations

timechart - how to work with timechart and stats count by

juliop3p — Thu, 16 Jun 2022 22:24:08 GMT

Hi guys, i need some help.

I'm trying to make a time chart to compare how many times my system gets restarted comparing today with 7 days ago.

I have this healthcheck log and the first log is when the user logs in for the first time and the next is the times that the user restarts my app.

with the following query works just fine the problem here is that i get the results from (initialization + restart) but i want the result just from the restart.

index=myIndex Title=Healthcheck earliest=-10d@d latest=@d | timechart span=1h count | timewrap d series=short | fields _time s0 s7 | rename s0 as Today, s7 as "7 days ago"

with this other query i have exactly the restart from each user but i cant make it work with time chart.

index=myIndex Title=Healthcheck | stats count by Data.Ip | eval count = count - 1

if it was confused i posted this other question explaining my scenario: https://community.splunk.com/t5/Splunk-Search/How-to-change-the-result-of-my-stats-count/td-p/600364

Re: timechart - how to work with timechart and stats count by

ITWhisperer — Fri, 17 Jun 2022 03:28:41 GMT

Can you identify which of the events in the index are initialisation events and which are restart events?

Re: timechart - how to work with timechart and stats count by

juliop3p — Fri, 17 Jun 2022 04:16:20 GMT

i can't, i just know that the first log from each hostname is the initialisation.

Re: timechart - how to work with timechart and stats count by

VatsalJagani — Fri, 17 Jun 2022 05:31:11 GMT

@juliop3p - Kindly post sample events, that will make it easier to understand.

Re: timechart - how to work with timechart and stats count by

ITWhisperer — Fri, 17 Jun 2022 05:35:00 GMT

Would that be the first log for each host ever, no matter what the time frame for the search, e.g. only looking at yesterday? Or, the first log for each host each day, no matter what the time frame for the search, e.g. only looking at yesterday afternoon?

Re: timechart - how to work with timechart and stats count by

juliop3p — Fri, 17 Jun 2022 05:50:39 GMT

every time a user open the app generate a healthcheck log like that:

Data
- HostName: 1234
- AppVersion: 1.0.0
- SO: W10

the same user (HostName) can have like 3 of this logs in one day but i want to track just reinitialisation, so in this example i have 3 logs:

1 log : initialisation
2 logs: reinitialisation

and i want to have a timechart view so i can track the total reinitialisation by hour comparing with 7 day ago

Re: timechart - how to work with timechart and stats count by

ITWhisperer — Fri, 17 Jun 2022 06:04:49 GMT

What happens if the user closes the app and re-opens it on the same day? Can you distinguish this as a new initialisation?