topic Re: Timechart as VS Timechart by in Splunk Search

Timechart as VS Timechart by

shayhibah — Wed, 29 Aug 2018 14:02:23 GMT

Over the last 3 days I was trying to create dashboard with single value + trends.

The query was something like this:

| dedup 1 src | timechart count by src

The goal was to get total number of src based on dashboard time range (before talking about the trends).

right now, by mistake (must be honest), I changed the query so I replaced the word by with as and it seems to work but not perfectly - when I change the time range to all time i expect to see all events but I get only one of them (although there are 5 events in results):

Can someone please tell me why I got confused and to translate my goal above into query correctly for next time?

Thanks

Re: Timechart as VS Timechart by

andreacorvini — Wed, 29 Aug 2018 14:21:46 GMT

With "by src" you have 1 result per event, it's not one value.
With "as src" you have 1 "count" result renamed in "src".

Re: Timechart as VS Timechart by

horsefez — Wed, 29 Aug 2018 14:21:54 GMT

Hi @shayhibah,

so what you are doing with your first search will split the timechart count by your Source IP.
So you basically count e.g. every hour how many Source IPs have been seen and split this value by each unique Source IP.

When using AS or as instead of by you are renaming the count field as "src"
You are now creating a count of all the Source IPs that where seen in e.g. an hour over time.

Re: Timechart as VS Timechart by

DalJeanis — Wed, 29 Aug 2018 14:30:53 GMT

If you are looking for the total number of different srcs in any given time period, then use this

  | timechart dc(src)

Re: Timechart as VS Timechart by

shayhibah — Wed, 29 Aug 2018 14:35:46 GMT

@DalJeanis
next to events tab I still see 5 but when I visualize it using single value, I see only 1

Re: Timechart as VS Timechart by

shayhibah — Wed, 29 Aug 2018 14:36:51 GMT

@pyro_wood
Thank you for the clarification, but if so, I see 5 events but when I visualize it using single value - I see only 1 instead of 5

Re: Timechart as VS Timechart by

shayhibah — Wed, 29 Aug 2018 14:37:09 GMT

@andreacorvini
Thank you for the clarification, but if so, I see 5 events but when I visualize it using single value - I see only 1 instead of 5

Re: Timechart as VS Timechart by

andreacorvini — Wed, 29 Aug 2018 14:50:33 GMT

Yes, you see 1 "count" field with value=5. No?

Re: Timechart as VS Timechart by

andreacorvini — Wed, 29 Aug 2018 15:05:38 GMT

| timechart count as src is the right code (count of "src" events renamed in "src").

If you use "count by src" and you have deduplicated "by src" in the previous action, you can have always 1 as result (1 event per "src").