topic Re: Timechart reporting zeros in counts in Dashboards & Visualizations

Timechart reporting zeros in counts

Mindy_McTiernan — Wed, 24 Jan 2024 19:46:07 GMT

I am trying to use the following search to make a timechart on security incident sources, but Splunk is reporting zeros for all the counts which I can confirm is NOT accurate at all. I think the issue is because I need to use a different time field for the timeline. Can someone assist me in making this chart work?

index=sir sourcetype=sir | rex field=dv_affected_user "(?<user>[[:alnum:]]{5})\)" | rex mode=sed field=opened_at "s/\.0+$//" | rex mode=sed field=closed_at "s/\.0+$//" | rename opened_at AS Opened_At, closed_at AS "Closed At", number AS "SIR Number", dv_assignment_group AS "Assignment Group", dv_state AS State, short_description AS "Short Description", close_notes AS "Closed Notes", dv_u_organizational_action AS "Org Action", u_concern AS Concern, dv_u_activity_type AS "Activity Type", dv_assigned_to AS "Assigned To" | eval _time=Opened_At | eval Source=coalesce(dv_u_specific_source, dv_u_security_source) | fillnull value=NULL Source | table Source, _time, "SIR Number" | timechart span=1mon count usenull=f by Source

Re: Timechart reporting zeros in counts

Mindy_McTiernan — Wed, 24 Jan 2024 20:33:32 GMT

I should add that the format of the Opened_At field is '2023-02-03 15:39:44'

Re: Timechart reporting zeros in counts

burwell — Wed, 24 Jan 2024 20:35:33 GMT

Here's the answer https://community.splunk.com/t5/Splunk-Search/how-to-use-a-field-as-timestamp-for-a-timechart/m-p/145037

Use strptime to format your field Opened_At and create a unixtimestamp

Then assign that to _time

Re: Timechart reporting zeros in counts

Mindy_McTiernan — Tue, 30 Jan 2024 17:17:38 GMT

This allows me to create a timechart, but the time picker isn't connecting to it. So if I ask for a 90 day timechart I get all records for the last year vs just the last 90 days worth of data. Is there a fix for that @burwell ?

Re: Timechart reporting zeros in counts

burwell — Wed, 31 Jan 2024 16:32:33 GMT

Does adding | addinfo help you @Mindy_McTiernan

https://www.splunk.com/en_us/blog/tips-and-tricks/i-cant-make-my-time-range-picker-pick.html

| eval unixtime_Opened_At | eval _time=unixtime_Opened_At | addinfo | timechart ...

Re: Timechart reporting zeros in counts

Mindy_McTiernan — Wed, 31 Jan 2024 17:14:14 GMT

Thank you for sharing that link @burwell ! It was hugely helpful. What finally ended up working was the following: The additional where line was key. Thank you for helping me work through this!

| eval _time = strptime(Opened_At,"%Y-%m-%d %H:%M:%S") | sort -_time | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")