https://community.splunk.com/t5/Splunk-Search/How-to-use-timechart-command-for-the-below-query/m-p/434528#M124001 <P>This is the query i m using:<BR /> <STRONG>query1:</STRONG></P> <PRE><CODE>sourcetype=tanium earliest=-24h query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&amp;-Last-Boot-Time---Mac-OSX-to-Splunk" Uptime="1 days" OR Uptime="Less than 1 day" NOT Last_Logged_In_User="*adm"| table Computer_Name Last_Logged_In_User OS_Boot_Time Last_Reboot| eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)| dedup LastReboot,Last_Logged_In_User| stats count by Computer_Name,Last_Logged_In_User | where count&gt;2 </CODE></PRE> <P>i need a trend analysis for this query for last 30 days.</P> <P>I also did this:<BR /> <STRONG>query2:</STRONG></P> <PRE><CODE>sourcetype=tanium query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&amp;-Last-Boot-Time---Mac-OSX-to-Splunk" NOT Last_Logged_In_User="*adm" | eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)| dedup LastReboot,Last_Logged_In_User| timechart span=1d count |eval day = strftime(_time,"%d %b %y , %a") |chart sum(count) by day </CODE></PRE> <P>But, this gives me the entire number of events.<BR /> Can anyone help me how to add required condition from query1 to query2</P> Fri, 08 Mar 2019 05:49:03 GMT divyathota 2019-03-08T05:49:03Z https://community.splunk.com/t5/Splunk-Search/How-to-use-timechart-command-for-the-below-query/m-p/434528#M124001 <P>This is the query i m using:<BR /> <STRONG>query1:</STRONG></P> <PRE><CODE>sourcetype=tanium earliest=-24h query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&amp;-Last-Boot-Time---Mac-OSX-to-Splunk" Uptime="1 days" OR Uptime="Less than 1 day" NOT Last_Logged_In_User="*adm"| table Computer_Name Last_Logged_In_User OS_Boot_Time Last_Reboot| eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)| dedup LastReboot,Last_Logged_In_User| stats count by Computer_Name,Last_Logged_In_User | where count&gt;2 </CODE></PRE> <P>i need a trend analysis for this query for last 30 days.</P> <P>I also did this:<BR /> <STRONG>query2:</STRONG></P> <PRE><CODE>sourcetype=tanium query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&amp;-Last-Boot-Time---Mac-OSX-to-Splunk" NOT Last_Logged_In_User="*adm" | eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)| dedup LastReboot,Last_Logged_In_User| timechart span=1d count |eval day = strftime(_time,"%d %b %y , %a") |chart sum(count) by day </CODE></PRE> <P>But, this gives me the entire number of events.<BR /> Can anyone help me how to add required condition from query1 to query2</P> Fri, 08 Mar 2019 05:49:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-timechart-command-for-the-below-query/m-p/434528#M124001 divyathota 2019-03-08T05:49:03Z https://community.splunk.com/t5/Splunk-Search/How-to-use-timechart-command-for-the-below-query/m-p/434529#M124002 <P>If you want a trendline, you might want to use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/trendline">trendline</A> instead of chart. This one does what you want. Look at the examples in the docs.<BR /> Also, you might want to use <CODE>Last_Logged_In_User!="*adm"</CODE> instead of <CODE>NOT Last_Logged_In_User="*adm"</CODE> if you're always expecting a user in your events.</P> <P>Edit: In your first query, that <CODE>table</CODE> command is kind of useless. You can remove it If you're after speeding up the query, replace it with <CODE>fields</CODE> and put only the needed events in.</P> <P>Skalli</P> Sun, 10 Mar 2019 16:27:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-timechart-command-for-the-below-query/m-p/434529#M124002 skalliger 2019-03-10T16:27:07Z https://community.splunk.com/t5/Splunk-Search/How-to-use-timechart-command-for-the-below-query/m-p/434530#M124003 <P>@divyathota, is the following what you are looking for?</P> <PRE><CODE>sourcetype=tanium earliest=-24h query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&amp;-Last-Boot-Time---Mac-OSX-to-Splunk" Uptime="1 days" OR Uptime="Less than 1 day" Last_Logged_In_User!="*adm" | eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot) | dedup LastReboot,Last_Logged_In_User | bin _time span=1d | stats count by _time, Last_Logged_In_User, Computer_Name | search count&gt;2 | timechart sum(count) as Total </CODE></PRE> Sun, 10 Mar 2019 17:31:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-timechart-command-for-the-below-query/m-p/434530#M124003 niketn 2019-03-10T17:31:51Z https://community.splunk.com/t5/Splunk-Search/How-to-use-timechart-command-for-the-below-query/m-p/434531#M124004 <P>Like this?</P> <PRE><CODE>index=YouShouldAlwaysSpecifyIndexValues AND ((sourcetype=tanium AND query="User-Sessions-and-Boot-Time-Details-from-Windows") OR (query="User-current-session-details-&amp;-Last-Boot-Time---Mac-OSX-to-Splunk" AND NOT Last_Logged_In_User="*adm")) | eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot) | dedup LastReboot,Last_Logged_In_User | bin _time span=1d | eventstats count BY Computer_Name,Last_Logged_In_User _time | where count&gt;2 | timechart span=1d count | eval day = strftime(_time,"%d %b %y , %a") | chart sum(count) by day </CODE></PRE> <P>NOTE: I may not have done the parentheses correctly but you should NEVER EVER mix <CODE>AND</CODE> and <CODE>OR</CODE> without parentheses!</P> Mon, 11 Mar 2019 03:20:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-timechart-command-for-the-below-query/m-p/434531#M124004 woodcock 2019-03-11T03:20:06Z