topic Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization? in Splunk Search

How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

santorof — Wed, 09 Sep 2015 13:23:36 GMT

I currently have a search that is appending two more searches to the original for a single line chart that will show the three searches each on a different line. I have looked through documentation and other answer posts, but have yet to find what I'm looking for. I need to be able to rename each line so I can define which is what. From what I have read, the AS command should be renaming, but I'm probably wrong. As a bonus question, is there a way I can define colors for each search that is being done?

index=* sourcetype=fortigate  dstcountry="Russian Federation" | timechart span=1hr as Russia by events  | append [search index=* sourcetype=fortigate dstcountry="Iran, Islamic Republic of"  |  timechart span=1hr as Iran by events ] | append [search sourcetype=fortigate dstcountry=China | timechart span=1hr as China by events  ]

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

richgalloway — Wed, 09 Sep 2015 13:58:46 GMT

Is events a field?

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

badarsebard — Wed, 09 Sep 2015 14:38:15 GMT

I think what you are really looking for is the split by functionality. You should be able to do this using a single search (no subsearches or appends needed) and then do a timechart count by field. Also, if you need to change the value of the dstcountry field to something a little more user-friendly like you have then you can use a case command in eval.

So you'd want to do something like this:

sourcetype=fortigate (dstcountry="Russian Federation" OR  dstcountry="Iran, Islamic Republic of" OR dstcountry=China)
| eval dstcounrty=case(dstcountry == "Russian Federation","Russia",dstcountry == "Iran, Islamic Republic of", "Iran", dstcountry == "China","China")
| timechart span=1h count by dstcountry

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

santorof — Wed, 09 Sep 2015 15:14:46 GMT

I dont believe so. I just always assumed either counting by event or events would go by the results or number of events returned

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

santorof — Wed, 09 Sep 2015 15:21:13 GMT

I dident realize there was no need an append because they were all the same sourcetype. I understand what is going on but with the eval and case command with the two quotes that should be able to change the output name correct? I tried changing both fields when running the search and neither seemed to change it.

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

badarsebard — Wed, 09 Sep 2015 16:16:36 GMT

I'm not sure what you're saying. What do you mean by both fields. Are the values for dstcountry not changing correctly based on the case command?

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

santorof — Wed, 09 Sep 2015 16:52:25 GMT

Yes like you said in the answer the case command in eval should change the value of dstcountry to something more user friendly. So instead of Iran Islamic Republic of I would rather just shorten it to Iran. Currently its defaulting to the Iran Islamic Republic of

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

badarsebard — Wed, 09 Sep 2015 17:11:35 GMT

Might be an issue with unbalanced quotes or how the field value is showing up. Can you post the search you're using and the data?

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

santorof — Wed, 09 Sep 2015 17:38:41 GMT

sourcetype=fortigate (dstcountry="Russian Federation" OR dstcountry="Iran, Islamic Republic of" OR dstcountry=China OR dstcountry="Syrian Arab Republic" OR dstcountry="Saudi Arabia" ) | eval dstcounrty=case(dstcountry == "Russian Federation","Russia",dstcountry== "Iran, Islamic Republic of", "Iran",dstcountry== "China","China", dstcountry== "Syrian Arab Republic","Syria", dstcountry== "Saudi Arabia","Saudi Arabia" ) | timechart span=1h count by dstcountry

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

badarsebard — Wed, 09 Sep 2015 18:14:22 GMT

Found the problem. I had a typo in my original post. The eval field is typed out "dstcounRTy" instead of dstcounTRy. This creates a second field with a similar looking name and leaves the original field unchanged.

Re: How to create a timechart with multiple fields by their event count and rename their lines for the visualization?

santorof — Wed, 09 Sep 2015 18:25:52 GMT

Ahh ok. Totally see that. I made the change and its working as intended. Thank you again for the help!