Re: How to create timechart with multiple values?

NDabhi21 · ‎03-13-2023

Hello!
I'm trying to make a timechart day wise action by unique user for the proxy logs like this one below, but I'm unable add action field as column.

Below query i had build . please suggest command to archive this requirement .

_time	Action/User	Raj	Jane	Tom
2023-03-11T00:00:00.000+0000	Permitted	1	1	1
2023-03-11T00:00:00.000+0000	Block	0	2	4

Query was build which generate above result without action column

| from datamodel:web
| timechart span=1d count(actions) as Actions by user useother=0 limit=10
| addcoltotals

woodcock · ‎04-06-2023

First, accelerate your Web DM, then do this:

| tstats count
FROM datamodel=Web 
BY Web.action Web.user _time span=1d
| rename Web.* AS *
| eval _{action} = count
| fields - action count
| timechart useother=0 limit=10 span=1d sum(_*) AS * BY user

ITWhisperer · ‎03-13-2023

| bin _time span=1d
| stats count by _time User Action
| eval {User}=count
| fields - count User
| stats values(*) as * by _time Action

NDabhi21 · ‎04-06-2023

Could you please suggest another option, above one is not helpful

How to create timechart with multiple values?

using Enterprise Security

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation