topic Re: Charting Assistance in Splunk Search

Charting Assistance

yepyepyayyooo — Mon, 06 Jan 2020 14:55:42 GMT

I'm having an issue with a visualization. Works fine if I don't try to do the fancy eval but won't plot out in visualization when I do.

index="bro" sourcetype="bro_conn" dest_ipi_zone="INT" dest_ipi_zone="INT" TERM(1.1.1.1) bytes>=50000
| eval bytes+=case( 
    bytes>=(1024*1024*1024*1024),round(bytes/(1024*1024*1024*1024),0)." TB",
    bytes>=(1024*1024*1024),round(bytes/(1024*1024*1024),0)." GB",
    bytes>=(1024*1024),round(bytes/(1024*1024),0)." MB",
    bytes>=1024,round(bytes/1024,0)." KB",
    1=1,bytes." B")
| lookup dnslookup clientip as dest_ip output clienthost as dest_dns
| eval time=strftime(_time,"%Y/%m/%d %H:%M")
| bucket time span=4h 
| chart values(bytes+) by time dest_dns usenull=f useother=f limit=5

Re: Charting Assistance

richgalloway — Mon, 06 Jan 2020 15:33:22 GMT

By "fancy eval" do you mean the eval that creates the 'bytes+' field? If so, have you tried using a field name without '+' in it?

Re: Charting Assistance

yepyepyayyooo — Mon, 06 Jan 2020 15:37:25 GMT

Yes, that's just the name of the new field. I named it bytess, bytes1, etc. Doesn't make a difference :'(

Re: Charting Assistance

richgalloway — Mon, 06 Jan 2020 16:26:45 GMT

So what is the query that works?

Re: Charting Assistance

yepyepyayyooo — Mon, 06 Jan 2020 16:28:45 GMT

I don't know, that's what I'm asking Splunk Answers for.

Re: Charting Assistance

richgalloway — Mon, 06 Jan 2020 17:38:54 GMT

"Works fine if I don't try to do the fancy eval ". Please share the part that works fine.