topic Re: Timechart Help in Splunk Search

How to have all of the CLTW workstations to be summed up as 1 count and so forth for the other locations?

jialiu907 — Fri, 19 May 2023 12:32:14 GMT

I am having trouble with using the time chart command effectively to make count of all workstations and with them broken down by location over time.

Currently my search is displaying each count of every workstation by location, but instead I am trying to have a sum count of the workstations displayed over every day.

This is the current search.

index=main $WSprefix$ sourcetype=syslog process=elcsend "\"config " CentOS | rex "([^!]*!){2}(?P<type>[^!]*)!([^!]*!){4}(?P<role>[^!]*)!([^!]*!){23}(?P<vers>[^!]*)" | dedup host | search role=std-dhcp | timechart span=1d count by host

This is one output for a location.

This is an output for another location.

I have implemented a dropdown menu that selects the location based on the hosts prefix.

I am looking to have all of the CLTW workstations to be summed up as 1 count and so forth for the other locations.

Re: Timechart Help

ITWhisperer — Thu, 18 May 2023 20:17:36 GMT

| eval location=mvindex(split(host,"/"),0) | timechart span=1d count by location

Re: Timechart Help

jialiu907 — Fri, 19 May 2023 14:07:42 GMT

The results still being displayed is that each host is counted as one, when what I am looking for is for all of the host to be summed up.

For reference, for the input dropdown menu, the token I am using is ALL="host=*", CLTW="host=cltw", ORLA="host=orla*", etc.

Re: Timechart Help

ITWhisperer — Fri, 19 May 2023 14:18:02 GMT

OK I misread your picture (that's the problem with using graphics rather than pasting text into code blocks </>!)

Try changing your drop down to

ALL="host=", CLTW="host=cltw", ORLA="host=orla", etc.

Then use

$token$*

in your search, i.e. remove the * from the token and append it where it is used.

That way you can use

| eval location=$token|s$

Re: Timechart Help

jialiu907 — Fri, 19 May 2023 15:52:10 GMT

Where are you suggesting to put?

$token$*

I have tried putting that in Token in the editing option of the dropdown and it is invalid.

Currently my dropdown list looks like this.

I have tried changing to your suggestion of

ALL="host=", CLTW="host=cltw", ORLA="host=orla", etc.

but without the *, the search doesn't work. I assume it's due to the fact there are multiple hosts that starts with "cltw", "orla", etc, and none that is exactly just "cltw" or "orla".

Re: Timechart Help

ITWhisperer — Fri, 19 May 2023 16:37:01 GMT

Where are you using the token in your search?

Re: Timechart Help

jialiu907 — Fri, 19 May 2023 17:29:45 GMT

index=main $token$ sourcetype=syslog process=elcsend "\"config " CentOS | rex "([^!]*!){2}(?P<type>[^!]*)!([^!]*!){4}(?P<role>[^!]*)!([^!]*!){23}(?P<vers>[^!]*)" | dedup host | search role=std-dhcp | eval location=$token|s$ | timechart span=1d count by location

This is my current search

Re: Timechart Help

ITWhisperer — Fri, 19 May 2023 17:35:25 GMT

Try setting all to "" and setting the values of the other choices to just the location then use this search

index=main host=$token$* sourcetype=syslog process=elcsend "\"config " CentOS | rex "([^!]*!){2}(?P<type>[^!]*)!([^!]*!){4}(?P<role>[^!]*)!([^!]*!){23}(?P<vers>[^!]*)" | dedup host | search role=std-dhcp | eval location=$token|s$ | timechart span=1d count by location

Re: Timechart Help

jialiu907 — Fri, 19 May 2023 17:53:15 GMT

I have done your suggestions and I am looking to see what I should put in the Token field. Currently the input menu is displaying "could not create search" as I think the connection from the search and to the dropdown menu is broken.

This is what I have done with the dropdown menu as well

Re: Timechart Help

jialiu907 — Fri, 19 May 2023 18:49:04 GMT

I think I fixed the situation with the "could not create search" as I just deleted the dropdown menu and made it again, the exact same way. I'm not sure what caused the issue but the connection does seem to work now.

Thank you for helping me through all this trouble!