topic Re: In pulling stats data via a CSV file to a timechart, why are my results doubling? in Splunk Search

In pulling stats data via a CSV file to a timechart, why are my results doubling?

bablucho — Fri, 21 Sep 2018 08:55:18 GMT

I'm pulling in stats data via CSV file. I am using a specific column header "LoginTime" as the Date field

I've timecharted to look at the distinct Usernames over a period of time.

base search |timechart dc(Username)

However, the results are doubling up due to _time results which are also showing in unix time.

for e.g
a Username result is found with the Date field result 01/08/2018 22:22:14
and the _time result is 2018-08-31T22:37:50.000+01:00 in the same event.

A timechart period 'All time' outputs this as 2 results:

a result for 31st August and _time result as 2018-01-08T22:22:14.000+00:00

can I switch the _time to display the timechart results as day, month, year? NOT year, day, month.

Re: In pulling stats data via a CSV file to a timechart, why are my results doubling?

Sukisen1981 — Fri, 21 Sep 2018 09:24:08 GMT

Yes, you can. I did not get your exact requirements, but I do understand that you need to tinker your _time scale to fit your requirements , basically try something like this?base search |eval time=<your formatted time>|eval _time=time|timechart dc(Username)

Re: In pulling stats data via a CSV file to a timechart, why are my results doubling?

bablucho — Fri, 21 Sep 2018 09:44:50 GMT

did you mean base search |eval _time=time|timechart dc(Username)

I'm getting a limited number of events and no timechart visualisation

Re: In pulling stats data via a CSV file to a timechart, why are my results doubling?

Sukisen1981 — Fri, 21 Sep 2018 15:12:53 GMT

sorry I am not very clear on you requirements
How is a different format for _time going to resolve your 'doubling' of timechart results?
Are you trying to use the Date field (login time) to be your time over which you want to build the timechart?
Yes, you are right i meant eval _time=time BUT then i want to see how you are building the field 'time', in other words the eval preceding eval _time=time , ie eval time=??what.
Can you share your query?

Re: In pulling stats data via a CSV file to a timechart, why are my results doubling?

Vijeta — Fri, 21 Sep 2018 17:05:46 GMT

Do you want to see distinct user names in a day or hour or whenever they are in event.
You can give span=1d if you are looking for distinct users in a day.
Timechart will consider _time field values only, if there is same user in different events it will be showing it as 2 count.

Re: In pulling stats data via a CSV file to a timechart, why are my results doubling?

bablucho — Mon, 24 Sep 2018 09:48:42 GMT

Hi Vijeta,

I'm running the following SPL
base search| timechart dc(Username) span=1d

the data is being pulled from a file that uses a specific column (LoginTime)as the time field.

the timechart is showing 1 event with 01/08/2018 23:15:29(LoginTime) 1st of August

the timechart is also showing a result for 2018-01-08T23:15:29.000+00:00(_time) 1st of January

it should only show the LoginTime field as the time values not the _time.

Re: In pulling stats data via a CSV file to a timechart, why are my results doubling?

bablucho — Mon, 24 Sep 2018 09:52:07 GMT

How is a different format for _time going to resolve your 'doubling' of timechart results?
because the LoginTime is showing a result in Timechart as 01/08 but the _time value is also in the Timechart showing as 08/01. I want to remove the _time value.

Are you trying to use the Date field (login time) to be your time over which you want to build the timechart?
Yes.

Yes, you are right i meant eval _time=time BUT then i want to see how you are building the field 'time', in other words the eval preceding eval _time=time , ie eval time=??what.
should be equal to Login time field

Can you share your query?
base search| timechart dc(Username) span=1d

Re: In pulling stats data via a CSV file to a timechart, why are my results doubling?

Vijeta — Mon, 24 Sep 2018 16:29:36 GMT

To me both the time look 1st of August and not 1st of January dince date fomat is mm/dd/YYYY .
Try changing the format for _time to the one of Login Time using strptime and strftime.