Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Graph displays incorrectly with timechart function

Hegemon76
Communicator
‎04-10-2018 04:06 PM

Here is my search string:

product=Windows EventCode=645 OR EventCode=4741 | timechart span=1w count | eval Severe=if(count>25,count,0) | eval High=if(count<=25 AND count>20,count, 0)| eval Moderate = if(count<=20 AND count>15,count,0) | eval Low = if(count<=15 AND count>7,count, 0) | eval Very Low = if(count<=7 AND count>0,count, 0)| rename _time as Date, count as Count |convert timeformat="%Y-%m-%d" ctime(Date)

I have the corresponding XML but it isn't letting me post it. It works....all the colors work.

These two are correct in terms of what I'm going for however when the visualization displays there is a count "bar" that corresponds directly to the other bars come out to. All I wanted to do was have a chart with different colors than blue to distinguish data by week but it seems like this is impossible based on everything I've read. You have to use timechart and timechart seems to only display data with a count field that makes the whole thing look like trash.

Any help would be great!

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-11-2018 03:00 AM

@Hegemon76, please try out the following run anywhere search example based on Splunk's _internal index. You can change | bin _time span=1w and | eval _time=strptime(strftime(_time,"%Y/%m/%d"),"%Y/%m/%d") as per your need.

index=_internal sourcetype=splunkd log_level!=INFO 
| bin _time span=1h 
| stats count by _time 
| eval Status=case(count>25,"Severe",
    count<=25 AND count>20,"High",
    count<=20 AND count>15,"Moderate",
    count<=15 AND count>7,"Low",
    count<=7 AND count>0,"Very Low",
    true(), 0) 
| timechart span="1h" sum(count) as Count by Status 
| eval _time=strptime(strftime(_time,"%Y/%m/%d %H"),"%Y/%m/%d %H")
| fillnull value=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Hegemon76
Communicator
‎04-11-2018 09:57 AM

So it works! This is great! Thanks niketnilay

However.....

How can I increase the size of the horizontal bar chart lines (or vertical the type of chart doesn't matter) ? Keep in mind I changed your script to this:

product=Windows EventCode=645 OR EventCode=4741
| bin _time span=1w
| stats count by _time
| eval Status=case(count>25,"Severe",
count<=25 AND count>20,"High",
count<=20 AND count>15,"Moderate",
count<=15 AND count>7,"Low",
count<=7 AND count>0,"Very Low",
true(), 0)
| timechart span="1h" sum(count) as Count by Status
| eval _time=strptime(strftime(_time,"%Y/%m/%d"),"%Y/%m/%d")
| fillnull value=0

The lines are incredibly small now (graphically) and clicking "format virtualization" to stacked or non stack doesn't do anything anymore. One issue begets another is seems.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-11-2018 10:01 AM

That is because you missed out changing span="1w" inside timechart command.

| timechart span="1w" sum(count) as Count by Status

Just FYI, for posting Image, you can upload the same to any image sharing site and then use the link using Image Button Ctrl+G.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Hegemon76
Communicator
‎04-11-2018 10:06 AM

Ya I tried that and it just says I don't have enough karma.

Simple fix made the chart work. This is great thanks! I'm curious what removed the "count" part though?

Was is the "|fillnull value=0" or the entirety of what you did. That was driving me nuts for around 2 days trying to figure this out.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-11-2018 10:13 AM

The timechart command with split by Status field generates the count of Status and names the fields as the Status Name ie Low, Moderate etc. So there is not Count field.

fillnull just fills 0 instead of null to represent numeric data in graph.

Glad you found your solution. Do up vote the comments that helped 🙂

I am surprise that Link can not be attached. Are you sure you are not trying to use the Attachment button Ctrl+U which looks like a Paper Clip, as that is restricted by Karma points. In any case you can also directly paste the link of image sharing site where the image is uploaded just in case.

Have a great day ahead!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Hegemon76
Communicator
‎04-11-2018 10:22 AM

Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

Hegemon76
Communicator
‎04-11-2018 02:27 PM

I probably need to open a new question but that doesn't work for stats count or chart count.

0 Karma
Reply
Solved! Jump to solution

Hegemon76
Communicator
‎04-11-2018 09:31 AM

I need more karma points to post images.

😞

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-11-2018 03:00 AM

@Hegemon76, please try out the following run anywhere search example based on Splunk's _internal index. You can change | bin _time span=1w and | eval _time=strptime(strftime(_time,"%Y/%m/%d"),"%Y/%m/%d") as per your need.

index=_internal sourcetype=splunkd log_level!=INFO 
| bin _time span=1h 
| stats count by _time 
| eval Status=case(count>25,"Severe",
    count<=25 AND count>20,"High",
    count<=20 AND count>15,"Moderate",
    count<=15 AND count>7,"Low",
    count<=7 AND count>0,"Very Low",
    true(), 0) 
| timechart span="1h" sum(count) as Count by Status 
| eval _time=strptime(strftime(_time,"%Y/%m/%d %H"),"%Y/%m/%d %H")
| fillnull value=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-10-2018 10:55 PM

@Hegemon76 can you post code using code button i.e. button with 101010 on it (shortcut is CTRL+K). Also if possible can you upload screen mock up of what you have and what is the issue? You can upload to any image sharing site and then post the image link using Image button (Shortcut Ctrl+G).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Hegemon76
Communicator
‎04-11-2018 09:28 AM

product=Windows EventCode=645 OR EventCode=4741 | timechart span=1w count| eval Severe=if(count>25,count,0) | eval High=if(count<=25 AND count>20,count, 0)| eval Moderate = if(count<=20 AND count>15,count,0) | eval Low = if(count<=15 AND count>7,count, 0) | eval Very Low = if(count<=7 AND count>0,count, 0)| rename _time as Date |convert timeformat="%Y-%m-%d" ctime(Date)

{"Severe":0xFF0000,"High":0xff8000,"Moderate":0xFFFF00,"Low":0x00FF00,"Very Low":0x0000ff}

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...