Splunk Enterprise Security

How to create timechart with multiple values?

NDabhi21
Explorer

Hello!
I'm trying to make a timechart day wise action by unique user for the proxy logs like this one below, but I'm unable add action field as column.

Below query i had build . please suggest command to archive this requirement .

_time Action/User  Raj Jane Tom
2023-03-11T00:00:00.000+0000 Permitted 1 1 1
2023-03-11T00:00:00.000+0000 Block 0 2 4


Query was build which generate above result without action column  

| from datamodel:web
| timechart span=1d count(actions) as Actions by user useother=0 limit=10
| addcoltotals

Labels (1)
0 Karma

woodcock
Esteemed Legend

First, accelerate your Web DM, then do this:

| tstats count
FROM datamodel=Web 
BY Web.action Web.user _time span=1d
| rename Web.* AS *
| eval _{action} = count
| fields - action count
| timechart useother=0 limit=10 span=1d sum(_*) AS * BY user
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin _time span=1d
| stats count by _time User Action
| eval {User}=count
| fields - count User
| stats values(*) as * by _time Action
0 Karma

NDabhi21
Explorer

Could you please suggest another option, above one is not helpful 

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...