topic Re: Timechart with multiple where like statements in Splunk Search

Timechart with multiple where like statements

Marco — Tue, 18 Aug 2020 21:29:14 GMT

Hello Guys,

I'm trying to plot multiple values onto a time chart. These values are collected through a Where Like statement.

For Example:

host=* time count(where like(COMMAND,"% MKDIR%")) as "MKDIR", count(where like(COMMAND,"% LS%")) as "LS", count(where like(COMMAND,"CHMOD")) as "CHMOD"

the output i'm getting is a blank time chart.

Thank you

Re: Timechart with multiple where like statements

Nisha18789 — Tue, 18 Aug 2020 22:19:31 GMT

Hi @Marco have you tried

host=* COMMAND="* MKDIR*" OR COMMAND="* LS*" OR COMMAND="*CHMOD*" | timechart count by COMMAND

Re: Timechart with multiple where like statements

Marco — Wed, 19 Aug 2020 14:26:23 GMT

That's a bit closer to what I was looking for except its plotting out users that issued the command versus the count of how many people issued each different command.

What i'm looking for is something more like this:

Re: Timechart with multiple where like statements

Nisha18789 — Wed, 19 Aug 2020 14:58:01 GMT

ok, so it appears like the COMMAND field is not just containing the command but the user info as well who requested it ? If so, we can first extract a new field from the COMMAND field to separate out the commands and then perform a timechart on that. Can you share a few values of the COMMAND field?

Re: Timechart with multiple where like statements

Nisha18789 — Wed, 19 Aug 2020 18:59:27 GMT

Hi @Marco , I have updated the query , could you try this and see it that works?

...| eval MKDIR=If(Like(COMMAND,"%MKDIR%"),1,0),LS=if(Like(COMMAND,"% LS%"),1,0),CHMOD=if(Like(COMMAND,"%CHMOD%"),1,0)
| timechart sum(MKDIR) as MKDIR sum(LS) as LS sum(CHMOD) as CHMOD

Re: Timechart with multiple where like statements

Marco — Wed, 19 Aug 2020 18:34:19 GMT

Hi @Nisha18789

Correct the Command field contains a whole string

ex:

COMMAND="Aug 18 13:01:59 RMDIR (userid) "

COMMAND="Aug 18 13:00:04 MKDIR (JOHNDOE) "

COMMAND="Aug 18 13:00:06 LS(SALLY) "

COMMAND="Aug 18 13:00:09 MKDIR (TOM)"

Which is why I originally used the Where Like functions since in a way it searches the string to see if a part of the string matches the given parameters. Followed by the count function to count each occurrence.

Unfortunately the solution you suggested gave me a blank time chart.

Re: Timechart with multiple where like statements

Nisha18789 — Wed, 19 Aug 2020 19:55:27 GMT

@Marco , please try the updated query and let me know if that works.

Re: Timechart with multiple where like statements

Marco — Wed, 19 Aug 2020 20:23:54 GMT

Thank you so much it worked!!!! @Nisha18789