Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Dashboard time formatting

majilan1
Path Finder
‎05-14-2024 02:12 PM

Hi, im working on creating a dashboard but I'm not familiar with time formatting is there a way some one can help on how to format time to strftime in this search to show on the dashboard:

Index=a sourcetype=b earliest=-30d [|inputlookup LU0_siem_asset_list where f_id=*OS-03* | stats values(asset) as search | eval search=mvjoin(search,", OR ")]
| fields src src_ip src_f_id _time
| stats latest(_time) values(*) by src_ip.

Thanks!

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2024 03:33 PM

If asset is unique in your lookup, you could do this (the format command will put in the "OR"s between rows)

Index=a sourcetype=b earliest=-30d [|inputlookup LU0_siem_asset_list where f_id=*OS-03* | rename asset as search | table search | format]
| fields src src_ip src_f_id _time
| stats latest(_time) as _time values(*) by src_ip. 
| fieldformat _time=strftime(_time, "%Y-%m-%d %H:%M:%S")

This is just an example of a format you could use

For more details on the option, see the documentation https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Commontimeformatvariables

 

0 Karma
Reply

majilan1
Path Finder
‎05-14-2024 04:21 PM

The search works, but I'm not able to put a chart even I have 7 statistics the only Splunk visualization I get to work is Histogram chart which is weird. Any idea why? Could it be because I have the exact same _time and values except for values(src) and src_ip are different.

Thanks!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2024 04:32 PM

It is not clear what it is you are trying to visualise - by using values(*) you will get a series of multivalue fields - how are you trying to visualise these?

0 Karma
Reply

majilan1
Path Finder
‎05-14-2024 04:45 PM

to be clear here is what i'm getting:

src_ip                     _time                               values(src)                      values(src_f_id)                                                                        01.00.00                 2024-04-10                  abcd1                                  OS-0030

02.00.00                  2024-04-10                  abcd2                                  OS-0030

03.00.00                   2024-04-10                 abcd3                                    OS-0030

So this is what I see on my end, what I'm trying to do is to present these in a nice dashboard.

Thanks! 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...