Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I add the date, from which the events happend, in a chart with a "chart count by field1, field2" command?

ganinurceski
Engager
‎02-05-2020 12:19 AM

Or maybe it is easier, to mention the date in the description, when an e-mail is sent.
This is my search at the moment:

index=smsc tag=MPRO_PRODUCTION DATA ="*" command_id_description="*" NOT (...) command_status_code="*" NOT (...) | dedup DATA | chart count by SHORT_ID, command_status_code | search NOT ESME_RTHROTTLED=0 | sort - ESME_RTHROTTLED | head 15

Thanks for your help!

0 Karma
Reply

somesoni2
Revered Legend
‎02-05-2020 10:43 AM

Do you want to have the timestamp (assuming _time) field along with the chart command output? If yes, give something like this a try (gets last time for a SHORT_ID and command_status_code combination):

index=smsc tag=MPRO_PRODUCTION DATA ="*" command_id_description="*" NOT (...) command_status_code="*" NOT (...) | dedup DATA | stats count max(_time) as time by SHORT_ID command_status_code | eval SHORT_ID_time=SHORT_ID."####".time | chart sum(count) as count by SHORT_ID_time, command_status_code | search NOT ESME_RTHROTTLED=0 | sort - ESME_RTHROTTLED | head 15
| rex field=SHORT_ID_time "(?<SHORT_ID>.+)####(?<time>.+)" | fields - SHORT_ID_time | rename time as _time 
| table _time SHORT_ID *
Reply

ganinurceski
Engager
‎02-06-2020 12:53 AM

This looks not bad, but now one Field Value (command_status_code), don't show up any count/Numbre.
The timestamp is now available. The second field value (command_status_code) is right (right count).

0 Karma
Reply

to4kawa
Ultra Champion
‎02-05-2020 06:39 AM

sample log please.

0 Karma
Reply

ganinurceski
Engager
‎02-06-2020 12:55 AM

2020-02-05 23:59:59.973348 SESSION_ID=... TRANS_ID=... MSG_ID=... SHORT_ID=... ORIGINATOR="IP":"Port" PROXY="IP":"Port" DESTINATION="IP":"Port" RESULT=0 LENGTH=25 DATA=000000198000000400000000000000A3364636354337434500 EXTRA=

i've removed the field values

0 Karma
Reply

to4kawa
Ultra Champion
‎02-06-2020 03:10 PM 
| chart count by SHORT_ID, command_status_code

Does your sample contain above two fields?

| search NOT ESME_RTHROTTLED=0

what's ESME_RTHROTTLED?

I think your chart result is like below:

SHORT_ID,command_stats_code_A,command_stats_code_B,command_stats_code_C
SHORT_ID_A,x,x,x
SHORT_ID_B,y,y,y
....

Using bin , stats and untable works well for aggregation with time as rows in multiple elements, but in that case we can not make a query unless we know what the value of the field is.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...