Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Timechart reporting zeros in counts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to use the following search to make a timechart on security incident sources, but Splunk is reporting zeros for all the counts which I can confirm is NOT accurate at all. I think the issue is because I need to use a different time field for the timeline. Can someone assist me in making this chart work?
index=sir sourcetype=sir
| rex field=dv_affected_user "(?<user>[[:alnum:]]{5})\)"
| rex mode=sed field=opened_at "s/\.0+$//"
| rex mode=sed field=closed_at "s/\.0+$//"
| rename opened_at AS Opened_At, closed_at AS "Closed At", number AS "SIR Number", dv_assignment_group AS "Assignment Group", dv_state AS State, short_description AS "Short Description", close_notes AS "Closed Notes", dv_u_organizational_action AS "Org Action", u_concern AS Concern, dv_u_activity_type AS "Activity Type", dv_assigned_to AS "Assigned To"
| eval _time=Opened_At
| eval Source=coalesce(dv_u_specific_source, dv_u_security_source)
| fillnull value=NULL Source
| table Source, _time, "SIR Number"
| timechart span=1mon count usenull=f by Source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for sharing that link @burwell ! It was hugely helpful. What finally ended up working was the following: The additional where line was key. Thank you for helping me work through this!
| eval _time = strptime(Opened_At,"%Y-%m-%d %H:%M:%S")
| sort -_time
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should add that the format of the Opened_At field is '2023-02-03 15:39:44'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's the answer https://community.splunk.com/t5/Splunk-Search/how-to-use-a-field-as-timestamp-for-a-timechart/m-p/14...
Use strptime to format your field Opened_At and create a unixtimestamp
Then assign that to _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This allows me to create a timechart, but the time picker isn't connecting to it. So if I ask for a 90 day timechart I get all records for the last year vs just the last 90 days worth of data. Is there a fix for that @burwell ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does adding | addinfo help you @Mindy_McTiernan
https://www.splunk.com/en_us/blog/tips-and-tricks/i-cant-make-my-time-range-picker-pick.html
| eval unixtime_Opened_At
| eval _time=unixtime_Opened_At
| addinfo
| timechart ...- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for sharing that link @burwell ! It was hugely helpful. What finally ended up working was the following: The additional where line was key. Thank you for helping me work through this!
| eval _time = strptime(Opened_At,"%Y-%m-%d %H:%M:%S")
| sort -_time
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
