Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need Help with Timechart

zacksoft
Contributor
‎01-04-2019 01:55 AM

......
.....
| table log_Time username | where username!="anonymous"

And the output is as follows
log_time user
2019-04-01 04:16 EMOLYB
2019-04-01 04:13 JACKT67
2019-04-01 03:57 SAMYYW
2019-04-01 04:26 S8888W
2019-04-01 04:36 srcRTtst
2019-04-01 04:44 A00007
2019-04-01 04:06 sUYTREt
2019-04-01 04:40 B665449

I want to know how many users were logged in a span of 15 min for last 24 hour in a bar chart.
I tried something like this after table command and it doesn't work.
| timechart count(username) span=15m (set time range to last 24 hours). But the visualization doesn't render anything neither the statistics tab.

Tags (1)
0 Karma
Reply

whrg
Motivator
‎01-04-2019 02:27 AM

timechart relies on the _time field. You are missing the _time field. That's why there are no results.

Check out this thread: how to use a field as timestamp for a timechart.

You could create the _time field as follows:

| eval _time=strptime(log_Time,"%Y-%m-%d %H:%M")
| timechart count(username) span=15m

I'm not sure if it's supposed to be %Y-%m-%d or %Y-%d-%m since your example data is ambiguous.

Also, I noted that once you wrote "username" and somewhere else "user". The field name should be the same.

On a side note: You can also count distinct/unique users via dc(username) instead of count(username).

Reply

zacksoft
Contributor
‎01-04-2019 02:44 AM 
host=Ra20plpphu* sourcetype="bsa:phua:security" "HttpSession" | rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
 | stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
 | where action="created"
| table logonTime user | where user!="anonymous"
| eval _time=strptime(logonTime,"%Y-%m-%d %H:%M")
 | timechart count(user) span=15m

still won't work. I don't see visualization from timechart.

0 Karma
Reply

whrg
Motivator
‎01-04-2019 03:27 AM

Try "stats first(_time) as _time ..." and remove both the table and the eval line.

0 Karma
Reply

zacksoft
Contributor
‎01-04-2019 03:34 AM

Thank you @whrg. This helped.

0 Karma
Reply

sdchakraborty
Contributor
‎01-04-2019 02:48 AM

there is no "username" field. It needs to be | timechart count(user) span=15m

0 Karma
Reply

zacksoft
Contributor
‎01-04-2019 02:51 AM

It was a typo error here. In actual code it is "user".

0 Karma
Reply

sdchakraborty
Contributor
‎01-04-2019 02:26 AM

Hi,

Assuming you are indexing data using log_time field ( means _time and log_time are same) please try the below search,

| timechart  span=15m count(user)
0 Karma
Reply

zacksoft
Contributor
‎01-04-2019 02:44 AM 
host=Ra20plpphu* sourcetype="bsa:phua:security" "HttpSession" | rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
 | stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
 | where action="created"
| table logonTime user | where user!="anonymous"
| eval _time=strptime(logonTime,"%Y-%m-%d %H:%M")
 | timechart count(user) span=15m

It still won't visualize.
The idea is to know the number of users active/logged in in a 15 min time span over a period of 24 hour

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...