Getting Data In

How can I add the date, from which the events happend, in a chart with a "chart count by field1, field2" command?

ganinurceski
Engager

Or maybe it is easier, to mention the date in the description, when an e-mail is sent.
This is my search at the moment:

index=smsc tag=MPRO_PRODUCTION DATA ="*" command_id_description="*" NOT (...) command_status_code="*" NOT (...) | dedup DATA | chart count by SHORT_ID, command_status_code | search NOT ESME_RTHROTTLED=0 | sort - ESME_RTHROTTLED | head 15

Thanks for your help!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you want to have the timestamp (assuming _time) field along with the chart command output? If yes, give something like this a try (gets last time for a SHORT_ID and command_status_code combination):

index=smsc tag=MPRO_PRODUCTION DATA ="*" command_id_description="*" NOT (...) command_status_code="*" NOT (...) | dedup DATA | stats count max(_time) as time by SHORT_ID command_status_code | eval SHORT_ID_time=SHORT_ID."####".time | chart sum(count) as count by SHORT_ID_time, command_status_code | search NOT ESME_RTHROTTLED=0 | sort - ESME_RTHROTTLED | head 15
| rex field=SHORT_ID_time "(?<SHORT_ID>.+)####(?<time>.+)" | fields - SHORT_ID_time | rename time as _time 
| table _time SHORT_ID *

ganinurceski
Engager

This looks not bad, but now one Field Value (command_status_code), don't show up any count/Numbre.
The timestamp is now available. The second field value (command_status_code) is right (right count).

0 Karma

to4kawa
Ultra Champion

sample log please.

0 Karma

ganinurceski
Engager

2020-02-05 23:59:59.973348 SESSION_ID=... TRANS_ID=... MSG_ID=... SHORT_ID=... ORIGINATOR="IP":"Port" PROXY="IP":"Port" DESTINATION="IP":"Port" RESULT=0 LENGTH=25 DATA=000000198000000400000000000000A3364636354337434500 EXTRA=

i've removed the field values

0 Karma

to4kawa
Ultra Champion
| chart count by SHORT_ID, command_status_code

Does your sample contain above two fields?

| search NOT ESME_RTHROTTLED=0

what's ESME_RTHROTTLED?

I think your chart result is like below:

SHORT_ID,command_stats_code_A,command_stats_code_B,command_stats_code_C
SHORT_ID_A,x,x,x
SHORT_ID_B,y,y,y
....

Using bin , stats and untable works well for aggregation with time as rows in multiple elements, but in that case we can not make a query unless we know what the value of the field is.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...