Dashboards & Visualizations

Line Chart with a day wise usage count

zacksoft
Contributor

I want to know how frequently a keyword is found(from the list of events) and see it in a time chart.
This is the search I am using, I am not sure if I am using it correct .
And there is a null line found in the line chart.

host= "HostA" or "HostB" "videostreamed"
| eval view=if(like(_raw,"%videostreamed%"),"Prime_Streamed"
| timechart span=1d count by view

I want to know the amount of events generated with the key word "videostreamed" based on the base-search I have, on a daily basis in a line chart.
Example : if the linechart has a spike on Monday, It should mean more events found with the videostreamed
The more the number of events, the higher is the usage that day.

I hope I am clear with my explanation

Tags (1)
0 Karma
1 Solution

HiroshiSatoh
Champion

I think that this alone is good.

host= "HostA" or "HostB" "videostreamed"
| timechart span=1d count

Do you also need a number that does not match?

View solution in original post

0 Karma

woodcock
Esteemed Legend

I think this:

host= "HostA" or "HostB" 
| timechart span=1d count count(eval(searchmatch("videostreamed"))) AS Prime_Streamed BY view

Or, probably you'd like this better:

host= "HostA" or "HostB" 
| bucket _time span=1d 
| stats count count(eval(searchmatch("videostreamed"))) AS Prime_Streamed BY view_time
| eval pct = 100 * Prime_Streamed / count
| timechart span=1d avg(pct) AS pct BY view
0 Karma

ppuru
Path Finder

You may want to consider assigning a number to it.
index=* | eval Text_Found = if(like(_raw,"%GET%"),"1","0") | where Text_Found=1 | timechart span=1m count by Text_Found

0 Karma

HiroshiSatoh
Champion

I think that this alone is good.

host= "HostA" or "HostB" "videostreamed"
| timechart span=1d count

Do you also need a number that does not match?

0 Karma

zacksoft
Contributor

yes, That would help too.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...