Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I add the date, from which the events happend, in a chart with a "chart count by field1, field2" command?

ganinurceski
Engager
‎02-05-2020 12:19 AM

Or maybe it is easier, to mention the date in the description, when an e-mail is sent.
This is my search at the moment:

index=smsc tag=MPRO_PRODUCTION DATA ="*" command_id_description="*" NOT (...) command_status_code="*" NOT (...) | dedup DATA | chart count by SHORT_ID, command_status_code | search NOT ESME_RTHROTTLED=0 | sort - ESME_RTHROTTLED | head 15

Thanks for your help!

0 Karma
Reply

somesoni2
Revered Legend
‎02-05-2020 10:43 AM

Do you want to have the timestamp (assuming _time) field along with the chart command output? If yes, give something like this a try (gets last time for a SHORT_ID and command_status_code combination):

index=smsc tag=MPRO_PRODUCTION DATA ="*" command_id_description="*" NOT (...) command_status_code="*" NOT (...) | dedup DATA | stats count max(_time) as time by SHORT_ID command_status_code | eval SHORT_ID_time=SHORT_ID."####".time | chart sum(count) as count by SHORT_ID_time, command_status_code | search NOT ESME_RTHROTTLED=0 | sort - ESME_RTHROTTLED | head 15
| rex field=SHORT_ID_time "(?<SHORT_ID>.+)####(?<time>.+)" | fields - SHORT_ID_time | rename time as _time 
| table _time SHORT_ID *
Reply

ganinurceski
Engager
‎02-06-2020 12:53 AM

This looks not bad, but now one Field Value (command_status_code), don't show up any count/Numbre.
The timestamp is now available. The second field value (command_status_code) is right (right count).

0 Karma
Reply

to4kawa
Ultra Champion
‎02-05-2020 06:39 AM

sample log please.

0 Karma
Reply

ganinurceski
Engager
‎02-06-2020 12:55 AM

2020-02-05 23:59:59.973348 SESSION_ID=... TRANS_ID=... MSG_ID=... SHORT_ID=... ORIGINATOR="IP":"Port" PROXY="IP":"Port" DESTINATION="IP":"Port" RESULT=0 LENGTH=25 DATA=000000198000000400000000000000A3364636354337434500 EXTRA=

i've removed the field values

0 Karma
Reply

to4kawa
Ultra Champion
‎02-06-2020 03:10 PM 
| chart count by SHORT_ID, command_status_code

Does your sample contain above two fields?

| search NOT ESME_RTHROTTLED=0

what's ESME_RTHROTTLED?

I think your chart result is like below:

SHORT_ID,command_stats_code_A,command_stats_code_B,command_stats_code_C
SHORT_ID_A,x,x,x
SHORT_ID_B,y,y,y
....

Using bin , stats and untable works well for aggregation with time as rows in multiple elements, but in that case we can not make a query unless we know what the value of the field is.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...