topic Re: Stats values Into timechart -- I can't get timechart to work in Splunk Search

Stats values Into timechart -- I can't get timechart to work

IRHM73 — Wed, 13 Sep 2017 11:35:03 GMT

Hi, I wonder whether someone could help me please.

I've put together this query:

| multisearch
[ search `frontenda_wmf(Payments)` detail.dueDate="2018-01-31"]
[ search `frontendb_wmf(RequestReceived)` detail.queryString="*AUTHORISED*HM00*"]
| stats values(detail.dueDate) as due values(detail.queryString) as query values(auditSource) as auditSource values(auditType) as auditType by tags.IP
| where (auditSource="frontenda" AND auditSource="frontendb" AND auditType="Payments" AND auditType="RequestReceived")
| timechart span=1d count(due)

The problem I'm having is that I can't get the timechart to work. I've also tried just using chart and that doesn't work either.

Could someone possibly look at this please and let me know where I've gone wrong?

Many thanks and kind regards

Chris

Re: Stats values Into timechart -- I can't get timechart to work

cmerriman — Wed, 13 Sep 2017 11:45:04 GMT

for timechart to work, you need _time in your results. try working _time into your multisearch/stats command before timechart. you can add in |bucket span=1d _time |stats ..... by tags.IP _time and then it is already bucketed by 1 day. If detail.dueDate is what the days need to be bucketed by, you'll need to create an eval like |eval _time=strptime(detail.dueDate,"%Y-%m-%d")

Re: Stats values Into timechart -- I can't get timechart to work

gcusello — Wed, 13 Sep 2017 11:45:42 GMT

Hi IRHM73.
at first in your stats command you haven't _time as values so you haven't it in the following timechart.
Anyway, what's the output of your search without the timechart command?
To execute the timechart count(due) command you need at least of two fields -time and due, are there?
Bye.
Giuseppe

Re: Stats values Into timechart -- I can't get timechart to work

niketn — Wed, 13 Sep 2017 11:49:58 GMT

@IRHM73, your stats command is removing _time field which is required for timechart so you need to change to following:

  | multisearch
 [ search `frontenda_wmf(Payments)` detail.dueDate="2018-01-31"]
 [ search `frontendb_wmf(RequestReceived)` detail.queryString="*AUTHORISED*HM00*"]
 | bin _time span=1d 
 | stats values(detail.dueDate) as due values(detail.queryString) as query values(auditSource) as auditSource values(auditType) as auditType by tags.IP _time
 | search auditSource="frontenda" AND auditSource="frontendb" AND auditType="Payments" AND auditType="RequestReceived"
 | timechart span=1d count(due)

Please try and confirm.

Re: Stats values Into timechart -- I can't get timechart to work

IRHM73 — Wed, 13 Sep 2017 12:07:44 GMT

Hi @niketnilay, this works perfectly thank you.

If you want to add this as an answer I can accept it for you.

Regards

Chris

Re: Stats values Into timechart -- I can't get timechart to work

IRHM73 — Wed, 13 Sep 2017 12:10:17 GMT

Hi @cusello, thank you for taking the time to reply to my post.

You'll see that both @cmerriman and @niketnilay were along similar lines.

Kind Regards

Chris

Re: Stats values Into timechart -- I can't get timechart to work

niketn — Wed, 13 Sep 2017 12:29:40 GMT

@IRHM73, Glad it worked... I have converted to answer. Please accept to mark as answered!

Re: Stats values Into timechart -- I can't get timechart to work

IRHM73 — Wed, 13 Sep 2017 12:31:56 GMT

Hi @cmerriman. Thank you for taking the time to come back to me with this and for the alternative solution to @niketnilay.

Kind Regards

Chris