Dashboards & Visualizations

Timechart, trendline and table

fedejko
Explorer

I am using a timechart and trendline search commands, and then I want to pipe the results into a table and add a field there:

index=xxx sourcetype=yyy some_search_criteria
| timechart span=12h count
| trendline sma10(count) as trend
| table _time count trend sourcetype

In the table I can see all fields populated except for "sourcetype" - they are empty.

But, if I remove timechart and trendline commands, the "sourcetype" field in the table is populated.

How to make it populated while using timechart and trendline?

Tags (1)
0 Karma
1 Solution

Sukisen1981
Champion

try this :

| timechart span=12h count ,values(sourcetype)
| rename values(sourcetype) as sourcetype| trendline sma10(count) as trend
| table _time count trend sourcetype

Reasonable to assume you have only 1 sourcetype per event?

View solution in original post

fedejko
Explorer

Thank you, it works. Although I modified it slightly:

Instead

| timechart span=12h count ,values(sourcetype)
| rename...

I did the following:

| timechart span=12h count values(sourcetype) as sourcetype

Regards.

0 Karma

Sukisen1981
Champion

try this :

| timechart span=12h count ,values(sourcetype)
| rename values(sourcetype) as sourcetype| trendline sma10(count) as trend
| table _time count trend sourcetype

Reasonable to assume you have only 1 sourcetype per event?

fedejko
Explorer

I have tried the following with another field - src_ip instead of sourcetype.
With "sourcetype" I had only 1 sourcetype per event.
With src_ip I've got more.

They appear in a table one after another, and if I want to exclude IP addresses from "10.*" range - nothing happens, because if in the table, I've got:

10.1.1.1 80.10.20.30 212.123.21.12

and if I exclude 10.* using | search src_ip!="10.*" then nothing appears there, because 10.1.1.1 was among the results.

How to correct it?

0 Karma

Sukisen1981
Champion

Hi @fedejko - so this scr_ip has multiple values the output you are referring to probably comes combined together vertically and not horizontally in a single field? Something like this -
10.1.1.1
80.10.20.30
212.123.21.12
If this is correct before the trendline add this code, so your code looks something like this :
| timechart span=12h count values(src_ip) as src_ip

add this
| timechart span=12h count values(src_ip) as src_ip|mvexpand src_ip |rest of your trendline and table commands...
If my understanding is not correct, please provide a screen shot of your as is and to be outputs.

0 Karma

fedejko
Explorer

Hi,

IPs expand from left to right: https://ibb.co/Bsx3ZFv

After adding what you suggested it messed up my chart: https://ibb.co/8c0YBRj

What I do there is the following:
I use rex to extract an IP address from the beginning of the log
I exclude internal IPs
Plot it on the chart
Introduce new value: threshold - which equals 5 * trend
and the aim of all that is to detect spikes in traffic which are bigger that threshold.

Here's the example of a proper graph: https://ibb.co/r7FQsf7

In the previous graph, the bars would never intersect with threshold line, hence the alert would never fire.

0 Karma

fedejko
Explorer

Hi,

IPs expand from left to right: https://ibb.co/Bsx3ZFv

After adding what you suggested it messed up my chart: https://ibb.co/8c0YBRj

What I do there is the following:
I use rex to extract an IP address from the beginning of the log
I exclude internal IPs
Plot it on the chart
Introduce new value: threshold - which equals 5 * trend
and the aim of all that is to detect spikes in traffic which are bigger that threshold.

Here's the example of a proper graph: https://ibb.co/r7FQsf7

In the previous graph, the bars would never intersect with threshold line, hence the alert would never fire.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...