Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard time formatting

majilan1
Path Finder
‎05-14-2024 02:12 PM

Hi, im working on creating a dashboard but I'm not familiar with time formatting is there a way some one can help on how to format time to strftime in this search to show on the dashboard:

Index=a sourcetype=b earliest=-30d [|inputlookup LU0_siem_asset_list where f_id=*OS-03* | stats values(asset) as search | eval search=mvjoin(search,", OR ")]
| fields src src_ip src_f_id _time
| stats latest(_time) values(*) by src_ip.

Thanks!

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2024 03:33 PM

If asset is unique in your lookup, you could do this (the format command will put in the "OR"s between rows)

Index=a sourcetype=b earliest=-30d [|inputlookup LU0_siem_asset_list where f_id=*OS-03* | rename asset as search | table search | format]
| fields src src_ip src_f_id _time
| stats latest(_time) as _time values(*) by src_ip. 
| fieldformat _time=strftime(_time, "%Y-%m-%d %H:%M:%S")

This is just an example of a format you could use

For more details on the option, see the documentation https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Commontimeformatvariables

 

0 Karma
Reply

majilan1
Path Finder
‎05-14-2024 04:21 PM

The search works, but I'm not able to put a chart even I have 7 statistics the only Splunk visualization I get to work is Histogram chart which is weird. Any idea why? Could it be because I have the exact same _time and values except for values(src) and src_ip are different.

Thanks!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2024 04:32 PM

It is not clear what it is you are trying to visualise - by using values(*) you will get a series of multivalue fields - how are you trying to visualise these?

0 Karma
Reply

majilan1
Path Finder
‎05-14-2024 04:45 PM

to be clear here is what i'm getting:

src_ip                     _time                               values(src)                      values(src_f_id)                                                                        01.00.00                 2024-04-10                  abcd1                                  OS-0030

02.00.00                  2024-04-10                  abcd2                                  OS-0030

03.00.00                   2024-04-10                 abcd3                                    OS-0030

So this is what I see on my end, what I'm trying to do is to present these in a nice dashboard.

Thanks! 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...