topic Re: Timechart with eventtype in Splunk Search

Timechart with eventtype

noman377 — Thu, 11 Nov 2021 12:44:44 GMT

Hello, I am trying to timechart two event types ONLY: heartbeat and start.
However, every event in our Splunk is also mapped as nix-all-logs and few other events by the system admin.
Attached are screenshots. How can I timechart these 2 event types only.

Re: Timechart with eventtype

PickleRick — Thu, 11 Nov 2021 12:57:20 GMT

https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Abouteventtypes

The important part here is that a single event can belong to multiple eventtypes.

So if you want to count only those eventtypes, you have to first search for them, and then filter the results to leave only those two entries.

Re: Timechart with eventtype

noman377 — Mon, 15 Nov 2021 14:23:50 GMT

@PickleRick - read through the documentation and tried search first as suggested and then timechart count by eventtype, it did not work. Not sure what i'm doing wrong. any help is appreciated. the eventtype that is present in every events is still present in the chart.

eventtype=heartbeat namespace::my-namespace
| search eventtype=heartbeat
| timechart count by eventtype span=1m
```only want to see eventtype heartbeat```

Re: Timechart with eventtype

PickleRick — Mon, 15 Nov 2021 19:59:38 GMT

Close, but not quite 🙂

Try to understand what you're doing.

Firstly, you search for some events with eventtype=heartbeat. Now everything is ok.

Of those events some will have more than one eventtype.

Then you do

| search eventtype=heartbeat

Which effectively doesn't do anything at this point since all events you find in the previous step had eventtype=heartbeat. So you pass this stepp with your full set of resulting events of which some have more than one eventtype.

Then if you do the timechart by eventtypes of course all your eventtypes will get included in the results

What did you do wrong? You did a search in the wrong place.

You should have done stats first, so you get results for all eventtypes and _then_ search (in the resulting stats) for wanted eventtypes.

eventtype=heartbeat namespace::my-namespace
| timechart count by eventtype span=1
| search eventtype=heartbeat

Re: Timechart with eventtype

noman377 — Wed, 17 Nov 2021 12:10:59 GMT

@PickleRick - unfortunately, not able to make it work. The eventtype that is present for every log is still showing up in events tab and timechart tab comes out empty.

Re: Timechart with eventtype

PickleRick — Wed, 17 Nov 2021 12:47:16 GMT

Ahhh. Of course. Timechart renders the data as table with eventtypes as columns.

So in order to return only heartbeat eventtype you'd need to not | search but simply

 | table _time heartbeat