topic Re: How to write queries for below condition ? in Splunk Search

How to write queries for below condition ?

splunker969 — Wed, 28 Mar 2018 14:19:54 GMT

Hi,
we have hosts a,b,c,d,e,f hosts
looking for visualizations ?

1)Trend count of all "filedname " per week for last 3 months?
2)Trend of "filedname 2" 5 or 50 on a weekly basis with filters applied on event=AuthAccept

Both the above have filters applied on the 6 servers listed above

please help ?

Thanks,
Splunker969

Re: How to write queries for below condition ?

kmaron — Wed, 28 Mar 2018 14:35:52 GMT

1)Trend count of all "filedname " per week for last 3 months?

base search  earliest=-3month@month latest=now | timechart count(fieldname) by host span=1w

then visualize as a trellis split by host if you want individual graphs per host.

The second one sounds the same as the first. Just add your filter to the base search.

Re: How to write queries for below condition ?

splunker969 — Wed, 28 Mar 2018 15:06:47 GMT

Thanks kmaron 🙂

Re: How to write queries for below condition ?

splunker969 — Wed, 28 Mar 2018 15:21:05 GMT

Hi kmaron,

base search earliest=-3month@month latest=now | timechart count(fieldname) by host span=1w |search host=a OR host=b OR host=c OR host=d OR host=e the tail i added is not working can you hlep me .

Also second query please
Trend of "filedname 2" 5 or 50 on a weekly basis with filters applied on event=AuthAccept

Re: How to write queries for below condition ?

kmaron — Wed, 28 Mar 2018 15:26:49 GMT

your hosts, and any other filters, should be part of your base search

something like this:

index=yourindex sourcetype=yoursourcetype (host=a OR host=b OR host=c OR host=d OR host=e) earliest=-3month@month latest=now | timechart count(fieldname) by host span=1w

The second query sounds identical to the first query. Just add your filter to the base search and change fieldname to fieldname2

Re: How to write queries for below condition ?

splunker969 — Wed, 28 Mar 2018 15:30:14 GMT

query 2-It is having two fileds filedname 2 for event=AuthAccept

Re: How to write queries for below condition ?

kmaron — Wed, 28 Mar 2018 15:32:33 GMT

I don't understand. are you saying you want a count of two different fields for all of the hosts over time?

Re: How to write queries for below condition ?

splunker969 — Wed, 28 Mar 2018 16:03:12 GMT

Query 1 it is only displaying per month not week .
query 2 i am having two fileds ie. filedname 2 needed for event=AuthAccept (here event= AuthAccept is other filed )

Re: How to write queries for below condition ?

kmaron — Wed, 28 Mar 2018 16:36:06 GMT

I still don't understand what you're asking for query 2. What are the two fields you want to trend on? you said event=AuthAccept is a filter Or are you now saying event is a field that you want to trend on?

Re: How to write queries for below condition ?

splunker969 — Wed, 28 Mar 2018 16:54:36 GMT

no worries got it .Thanks

index=yourindex sourcetype=yoursourcetype (host=a OR host=b OR host=c OR host=d OR host=e) earliest=-3month@month latest=now event=AuthAccept | timechart count(fieldname2) by host span=1w

Re: How to write queries for below condition ?

splunker969 — Thu, 29 Mar 2018 18:18:10 GMT

Hi Kmaron ,

sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f") event=AuthAccept (authlevel=5 OR authlevel=50)
earliest=-1month@month latest=now | chart count(authlevel) by date_wday
when I search count of 5 and 50 are coming in one column can i separate the 5 column and 50 separate c;columns in column chart .Any help .

Thanks,
Splunker969

Re: How to write queries for below condition ?

kmaron — Thu, 29 Mar 2018 18:49:30 GMT

Try this

sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f") event=AuthAccept (authlevel=5 OR authlevel=50)
earliest=-1month@month latest=now | chart count(authlevel) by date_wday, authlevel

Re: How to write queries for below condition ?

splunker969 — Tue, 29 Sep 2020 18:49:36 GMT

Hi kmaron thanks a lot It works .

One more question -

sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f")
earliest=-1month@month latest=now | chart count over agentName by date_wday

Can you help me with distinct count of agentName on y axis and date_wday on x-axis and dates from date_wday legends on right .

Thanks,
splunker969

Re: How to write queries for below condition ?

kmaron — Thu, 29 Mar 2018 19:14:49 GMT

date_wday only gives you the day of the week. What date are you saying you want as the legend?

Chart commands are basically three pieces. Your stats command which is your count, distinct count, etc. will build your Y axis. Your X axis will be your Over field and the BY field is your legend.

http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Chart

Re: How to write queries for below condition ?

splunker969 — Tue, 29 Sep 2020 18:49:41 GMT

Hi kmaron ,

yes your correct! Iam looking week kamron Iam looking for monday ,tuesdya,wed,th,friday,saturday,sunday legend .

with distinct count of agentName on y axis and date_wday on x-axis and dates from date_wday legends on right .
can you help me kmaron

Re: How to write queries for below condition ?

splunker969 — Thu, 29 Mar 2018 21:52:12 GMT

sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f")
earliest=-1month@month latest=now|stats dc(agentName) as count by date_wday

serached this one but right side unable to display legend- monday ,tuesdya,wed,th,friday,saturday,sunday legend .Any help?