Re: How do I add the date each data point to the r...

daleydlin · ‎02-08-2021

I am creating a dashboard to collect the past 30 days of data of countries and hits.

I am new to Splunk dashboard's/report/analytics. I've learned to use splunk the past 5 days and running a query is equivalent to coding in "Splunk" similar to how creating a dashboard in "ServiceNow" is coding in ServiceNow.

I need to know what to enter into my query to create a new column with the date of each data point. It's a simple ask and I cannot find the answer anywhere on your forum or documentation.

mztopp · ‎02-08-2021

I'm not sure what search you are using at the moment, but here is a generic example of what I believe you are asking: <search here> | stats count by _time, field1, field2

This would result in:

_time field1 field2 count

-------------------------------------------------------------------------------------------------------------

2021-02-08 17:00:00 ex1 ex2 1

daleydlin · ‎02-08-2021

The query I am modifying that somebody else wrote is:

index=default-ap1 sourcetype="Service-cb152a4c4e694c9f9f74b261f0a8e909-prod-*" magic_bits | eval is_tamp=if(magic_bits!=0 AND magic_bits!=1, "tamp request", "gen request") | search is_tamp="tamp request" | iplocation request_client_ip | top limit=100 Country

How do I add the date to each data point to the report

data model

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?