topic Re: Timechart - Count columns per day in Splunk Search

Timechart - Count columns per day

fbl_itcs — Wed, 15 Jan 2014 09:29:20 GMT

Hi,

I'm doing a simple timechart search:

index=XXX | timechart span=1d count by src_ip

This leads to a table/chart like this:

_time 10.10.0.1 10.10.0.2 192.168.2.1
01.01. 0 0 3
02.01. 1 4 0
...

What I need is a field/column for how many different src_ip there were at each day (so at the first row it would be 1, at the second 2). The problem is I don't know how to use eval in this case because the field names (= column header names) are not known to me --> It could be any IP address.

Any ideas?

Thanks,
Felix

Re: Timechart - Count columns per day

my_splunk — Wed, 15 Jan 2014 14:29:46 GMT

Hi Felix,

you can try

index=XXX | timechart span=1d dc(src_ip) as diff_src_ip

Bye

Re: Timechart - Count columns per day

fbl_itcs — Mon, 28 Sep 2020 15:40:05 GMT

I don't see how I could use this to put the diff_src_ip into the same command. It works by it's own (which I would be able to do by myself ;)) but it doesn't help me with my problem.

Re: Timechart - Count columns per day

my_splunk — Mon, 28 Sep 2020 15:40:08 GMT

ok, so you desire to have as results of your search this
time 10.10.0.1 10.10.0.2 192.168.2.1 diff_src_ip
01.01. 0 0 3 1
02.01. 1 4 0 2

It is all rigth?

Re: Timechart - Count columns per day

Ayn — Thu, 16 Jan 2014 09:40:24 GMT

I had a look at this and it's surprisingly tricky (to me at least). The problem is that you can't mix stats calculated by some field with stats calculated over the entire set - once you've specified a split-by clause in your stats command, ALL stats will be calculated by that way.

The only solution I've come up with is running one stats command for generating a column containing the unique IP count for each timespan, and then use appendcols for adding the individual columns for each IP. This is pretty slow and resource intensive because appendcols needs to run its own subsearch, so you have to run the same base query twice. I'd be happy if someone could find a better solution, but for what it's worth, here is mine:

index=XXX | timechart span=1d dc(src_ip) | appendcols [search index=XXX | timechart span=1d count by src_ip | fields - _time]

Re: Timechart - Count columns per day

fbl_itcs — Thu, 16 Jan 2014 09:44:22 GMT

That's correct.

Re: Timechart - Count columns per day

fbl_itcs — Thu, 16 Jan 2014 10:23:01 GMT

This definitely works. It is kind of slow but as a start a good solution. Thank you!

Re: Timechart - Count columns per day

ryanmims — Tue, 04 Mar 2014 13:48:20 GMT

Felix, did you ever get this figured out? If so, what was the solution?

Re: Timechart - Count columns per day

fbl_itcs — Mon, 28 Sep 2020 16:06:20 GMT

Hi, I used the solution from Ayn, that looks like:

index=abc sourcetype=xxx_log | timechart span=1d dc(src_ip) as sources | appendcols [search index=abc sourcetype=xxx_log | timechart span=1d count by src_ip | fields - _time]