Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Visualization limit

arkonner
Path Finder
‎08-11-2016 03:03 AM

with the search below I identify the account locked-out - I am using "column chart" output and under visualization format there is no limit but as result only ten Account names are displayed. I have no idea where this limit has been introduced and I need to display all Account locked-out

Thank you in advance for the attention given

index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | timechart span=1h useother=f count by Account_Name

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-11-2016 07:50 AM

Try this

index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | timechart limit=0 span=1h useother=f count by Account_Name

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-11-2016 07:50 AM

Try this

index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | timechart limit=0 span=1h useother=f count by Account_Name
0 Karma
Reply
Solved! Jump to solution

davebrooking
Contributor
‎08-11-2016 04:21 AM

The timechart command has a limit option, I thought the default was documented, but don't see it in the docs. This earlier answer states the default is 10.

Dave

0 Karma
Reply
Solved! Jump to solution

JDukeSplunk
Builder
‎08-11-2016 07:47 AM

Yep like Dave said there is a limit=X option for timechart. Timechart can be a bear to display properly. Depending on the time range the search is run in, I often have to slice it into bigger slices using span= as well as limit.

So. If you're doing a 30 day search your timechart might look like this to get the top 50 accounts per day. 

 | timechart span=1d useother=f  limit=50 count by Account_Name
0 Karma
Reply
Solved! Jump to solution

arkonner
Path Finder
‎08-11-2016 07:58 AM

Thank you Dave

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...