Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart - how to work with timechart and stats count by

juliop3p
Explorer
‎06-16-2022 03:20 PM

Hi guys, i need some help.

I'm trying to make a time chart to compare how many times my system gets restarted comparing today with 7 days ago.

I have this healthcheck log and the first log is when the user logs in for the first time and the next is the times that the user restarts my app.

with the following query works just fine the problem here is that i get the results from (initialization + restart) but i want the result just from the restart.

 

index=myIndex Title=Healthcheck earliest=-10d@d latest=@d
| timechart span=1h count
| timewrap d series=short
| fields _time s0 s7
| rename s0 as Today, s7 as "7 days ago"

 



with this other query i have exactly the restart from each user but i cant make it work with time chart.

 

index=myIndex Title=Healthcheck 
| stats count by Data.Ip
| eval count = count - 1

 



if it was confused i posted this other question explaining my scenario: https://community.splunk.com/t5/Splunk-Search/How-to-change-the-result-of-my-stats-count/td-p/600364

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 08:28 PM

Can you identify which of the events in the index are initialisation events and which are restart events?

0 Karma
Reply

juliop3p
Explorer
‎06-16-2022 09:16 PM

i can't, i just know that the first log from each hostname is the initialisation.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 10:35 PM

Would that be the first log for each host ever, no matter what the time frame for the search, e.g. only looking at yesterday? Or, the first log for each host each day, no matter what the time frame for the search, e.g. only looking at yesterday afternoon?

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-16-2022 10:31 PM

@juliop3p - Kindly post sample events, that will make it easier to understand.

0 Karma
Reply

juliop3p
Explorer
‎06-16-2022 10:50 PM

every time a user open the app generate a healthcheck log like that:

Data
  - HostName: 1234
  - AppVersion: 1.0.0
  - SO: W10

the same user (HostName) can have like 3 of this logs in one day but i want to track just reinitialisation, so in this example i have 3 logs:

1 log :  initialisation
2 logs: reinitialisation

and i want to have a timechart view so i can track the total reinitialisation by hour comparing with 7 day ago

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 11:04 PM

What happens if the user closes the app and re-opens it on the same day? Can you distinguish this as a new initialisation?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top