Splunk Search

Timechart as VS Timechart by

shayhibah
Path Finder

Over the last 3 days I was trying to create dashboard with single value + trends.

The query was something like this:

  • | dedup 1 src | timechart count by src

The goal was to get total number of src based on dashboard time range (before talking about the trends).

right now, by mistake (must be honest), I changed the query so I replaced the word by with as and it seems to work but not perfectly - when I change the time range to all time i expect to see all events but I get only one of them (although there are 5 events in results):

Can someone please tell me why I got confused and to translate my goal above into query correctly for next time?

Thanks

Tags (2)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If you are looking for the total number of different srcs in any given time period, then use this

  | timechart dc(src) 
0 Karma

shayhibah
Path Finder

@DalJeanis
next to events tab I still see 5 but when I visualize it using single value, I see only 1

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi @shayhibah,

so what you are doing with your first search will split the timechart count by your Source IP.
So you basically count e.g. every hour how many Source IPs have been seen and split this value by each unique Source IP.

When using AS or as instead of by you are renaming the count field as "src"
You are now creating a count of all the Source IPs that where seen in e.g. an hour over time.

0 Karma

shayhibah
Path Finder

@pyro_wood
Thank you for the clarification, but if so, I see 5 events but when I visualize it using single value - I see only 1 instead of 5

0 Karma

andreacorvini
Path Finder

With "by src" you have 1 result per event, it's not one value.
With "as src" you have 1 "count" result renamed in "src".

0 Karma

shayhibah
Path Finder

@andreacorvini
Thank you for the clarification, but if so, I see 5 events but when I visualize it using single value - I see only 1 instead of 5

0 Karma

andreacorvini
Path Finder

| timechart count as src is the right code (count of "src" events renamed in "src").

If you use "count by src" and you have deduplicated "by src" in the previous action, you can have always 1 as result (1 event per "src").

0 Karma

andreacorvini
Path Finder

Yes, you see 1 "count" field with value=5. No?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...