Dashboards & Visualizations

How do i do a timechart by category with individual counts of the hosts..??

prakash007
Builder

index=a host=has 4 hosts
index=b host=has 4 hosts

Can we do a timechart with stacked column, categorizing the hosts by index and having the individual count of the hosts in each stack...??

I am able to do a timechart by category based on this answer, but i am looking for a way if i can do individual counts of each host in a stacked column too..??

https://answers.splunk.com/answers/525574/looking-for-a-search-to-categorize-by-hosts.html

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Assuming you need output like _time host1 host2 ... total_a total_b , give this a try

your base search 
| bucket span=10m _time    ***assuming you want to bucket time. update as required***
| stats count by _time index host
| appendpipe [| stats sum(count) as count by _time index | eval host="total_".index ]
| timechart span=10m sum(count) by host

View solution in original post

somesoni2
Revered Legend

Assuming you need output like _time host1 host2 ... total_a total_b , give this a try

your base search 
| bucket span=10m _time    ***assuming you want to bucket time. update as required***
| stats count by _time index host
| appendpipe [| stats sum(count) as count by _time index | eval host="total_".index ]
| timechart span=10m sum(count) by host

prakash007
Builder

I am almost there, but index A,B Totals and Individuals hosts are on a single stack, is there any way i can do a different stacked columns for each IndexA Total with Individual host counts, Index B Total with individual host counts.?

0 Karma

somesoni2
Revered Legend

Not sure if that's possible. See if this workaround works for you.

your base search 
 | bucket span=10m _time    
 | stats count by _time index host
 | appendpipe [ | where index="a" | timechart span=10m sum(count) by host | addtotals | rename Total as Total_a | eval keep=1 ]
| appendpipe [ | where index="b" | timechart span=10m sum(count) by host | addtotals | rename Total as Total_b | _time=_time+1 | eval keep=1 ]
 | where keep=1 | sort 0 _time
0 Karma

prakash007
Builder

This search works fine, i did some chart overlay with the total counts in my case. Thanks..!!

0 Karma

ddrillic
Ultra Champion

Are you starting with something like index=a OR index=b | timechart count by host?

0 Karma

prakash007
Builder

yes, that works fine to get the individual count of the host in the stacked column, + i am also expecting to do a total count by index within the stacked column...??

0 Karma

prakash007
Builder

This is what i did so far, where i can get the total count by category(index=a and index=b), but i am looking for if there's a way we can do individual counts within this search...

your base search giving fields host, _time
 | ...some logic to get category field there...
 | bucket _time span=10m  ***assuming you want to bucket time. update as required***
 | stats count by _time group host
 | appendpipe [| stats sum(count) as count by _time group | eval 
   group=group."- Total" ]
 | timechart span=10m sum(count) by group
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...