topic Re: Why does the Timechart command with eval result returns empty visualization? in Splunk Search

Why does the Timechart command with eval result returns empty visualization?

ivan128 — Fri, 02 Mar 2018 17:21:55 GMT

Hello, I have the following search that calculates a risk value with eval

index=thing sourcetype=thing name=thing earliest=-60d latest=-7d|bucket _time span=1mon | dedup plugin_family plugin_name host-ip ports{}.port ports{}.protocol ports{}.transport | chart count by plugin_family,severity | stats sum(*) as *| join [search index=thing sourcetype=thing name=thing NOT severity=informational | dedup host-ip | chart count as "TOTAL VULNERABLES HOSTS"| stats values(TOTAL VULNERABLES HOSTS) as VH] | join [search  index=thing sourcetype=thing name=thing | dedup host-ip | chart count as "TOTAL HOSTS" | stats values(TOTAL HOSTS) as TH]| fillnull critical, high,medium,low |eval RiskValue=/Formula/| timechart span=1mon max(RiskValue)

VH,TH and RiskValue show the correct values when I checked them with |fields TH,VH,RiskValue but when I try to timechart the RiskValue it shows 0 results, I suspect its because timechart lacks timestamps to chart the risk values. I tried to use a bucket of 1 month and using span 1 mon in timechart but still there is no visualization. I searched through the forums but it seems every solution to charting an eval is specific to the search and I couldn't find any general rules or solutions that I could work from. Any help is appreciated, thanks.

Re: Why does the Timechart command with eval result returns empty visualization?

kmaron — Fri, 02 Mar 2018 17:44:58 GMT

you need _time in order to do a timechart so I suspect you're losing your timestamp somewhere. If you add _time to your fields command are there values listed?

Re: Why does the Timechart command with eval result returns empty visualization?

adonio — Fri, 02 Mar 2018 17:49:14 GMT

yup, like @kmaron mentioned, you also lose the _time field whet using stats command

Re: Why does the Timechart command with eval result returns empty visualization?

ivan128 — Fri, 02 Mar 2018 18:16:55 GMT

the _time field returns a null value, what @adonio mentioned seems to be the cause, is there a way to keep the _time when using stats?

Re: Why does the Timechart command with eval result returns empty visualization?

kmaron — Fri, 02 Mar 2018 18:18:49 GMT

add by _time to the end of your stats

| stats sum(*) as * by _time

Re: Why does the Timechart command with eval result returns empty visualization?

ivan128 — Fri, 02 Mar 2018 18:39:27 GMT

Tried it and didn't work, I also tried using evalstats insted of stats but to no avail.

Edit: seems like I posted as answer instead of comment, apologies.

Re: Why does the Timechart command with eval result returns empty visualization?

kmaron — Fri, 02 Mar 2018 18:42:13 GMT

I just noticed you have a chart AND a stats. the chart would be dropping the _time field as well.

Re: Why does the Timechart command with eval result returns empty visualization?

kmaron — Fri, 02 Mar 2018 19:01:39 GMT

I think you have a lot more going on than is necessary, especially the joins and subsearches and chart/stats. I don't have a way to test this so I don't know if it's quite correct but I thin its close?

index=thing sourcetype=thing name=thing earliest=-60d latest=-7d
| bucket _time span=1mon 
| dedup host-ip plugin_family plugin_name host-ip ports{}.port ports{}.protocol ports{}.transport 
| stats count(eval(severity!=informational) as VH, dc(host-ip) as TH, count by plugin_family, severity, _time
| fillnull critical, high,medium,low 
| eval RiskValue=/Formula/
| timechart span=1mon max(RiskValue)

Re: Why does the Timechart command with eval result returns empty visualization?

ivan128 — Fri, 02 Mar 2018 20:14:39 GMT

Thanks for the answer, its missing an ) to close the stats count (eval, at least now it presents the statistics tab, but the risk value is null, checking the values in every field I noticed that the VH (vulnerable hosts) field is 0 in every instance

Edit: unless I'm missing something, the only condition to identify if a host is vulnerable it's if the severity is different from informational correct?