Re: Need Help with Timechart

zacksoft · ‎01-04-2019

......
.....
| table log_Time username | where username!="anonymous"

And the output is as follows
log_time user
2019-04-01 04:16 EMOLYB
2019-04-01 04:13 JACKT67
2019-04-01 03:57 SAMYYW
2019-04-01 04:26 S8888W
2019-04-01 04:36 srcRTtst
2019-04-01 04:44 A00007
2019-04-01 04:06 sUYTREt
2019-04-01 04:40 B665449

I want to know how many users were logged in a span of 15 min for last 24 hour in a bar chart.
I tried something like this after table command and it doesn't work.
| timechart count(username) span=15m (set time range to last 24 hours). But the visualization doesn't render anything neither the statistics tab.

whrg · ‎01-04-2019

timechart relies on the _time field. You are missing the _time field. That's why there are no results.

Check out this thread: how to use a field as timestamp for a timechart.

You could create the _time field as follows:

| eval _time=strptime(log_Time,"%Y-%m-%d %H:%M")
| timechart count(username) span=15m

I'm not sure if it's supposed to be %Y-%m-%d or %Y-%d-%m since your example data is ambiguous.

Also, I noted that once you wrote "username" and somewhere else "user". The field name should be the same.

On a side note: You can also count distinct/unique users via dc(username) instead of count(username).

zacksoft · ‎01-04-2019

host=Ra20plpphu* sourcetype="bsa:phua:security" "HttpSession" | rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
 | stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
 | where action="created"
| table logonTime user | where user!="anonymous"
| eval _time=strptime(logonTime,"%Y-%m-%d %H:%M")
 | timechart count(user) span=15m

still won't work. I don't see visualization from timechart.

whrg · ‎01-04-2019

Try "stats first(_time) as _time ..." and remove both the table and the eval line.

zacksoft · ‎01-04-2019

Thank you @whrg. This helped.

sdchakraborty · ‎01-04-2019

there is no "username" field. It needs to be | timechart count(user) span=15m

zacksoft · ‎01-04-2019

It was a typo error here. In actual code it is "user".

sdchakraborty · ‎01-04-2019

Hi,

Assuming you are indexing data using log_time field ( means _time and log_time are same) please try the below search,

| timechart  span=15m count(user)

zacksoft · ‎01-04-2019

host=Ra20plpphu* sourcetype="bsa:phua:security" "HttpSession" | rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
 | stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
 | where action="created"
| table logonTime user | where user!="anonymous"
| eval _time=strptime(logonTime,"%Y-%m-%d %H:%M")
 | timechart count(user) span=15m

It still won't visualize.
The idea is to know the number of users active/logged in in a 15 min time span over a period of 24 hour

Need Help with Timechart

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Need Help with Timechart

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine