how to use timechart to to search

perlish · ‎08-07-2012

Hi, i want split the login log by timechart span "30s"
in the every "30s",if the login fail count by one ip is bigger than 5, it`s a alert
Now i want know how many alert in the last 7 days, how can i do?
I use this "[login]" result:fail | timechart span="30s" count by ip | search count > 5 | stats

but it`s uncorrect.

Thank you

perlish · ‎08-08-2012

thank you very much, it have already slove my issue.

Now i want to create a pie

"[login]" result:succeed | bin _time span="30s" | stats count by _time, ip | search count > 5

use this search i will got time,ip,count

i want use only ip and count to create a pie, how to do this?
thank you

sideview · ‎08-08-2012

Here you go. You have to use bin and stats manually, instead of using timechart.

"[login]" result:fail | bin _time span="30s" | stats count by _time, ip | search count > 5 | stats count

perlish · ‎08-08-2012

thank you very much, it have already slove my issue.

Now i want to create a pie

"[login]" result:succeed | bin _time span="30s" | stats count by _time, ip | search count > 5

use this search i will got time,ip,count

i want use only ip and count to create a pie, how to do this? thank you

how to use timechart to to search

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...