Solved: Re: Add daily stats to Search

Madmax · ‎11-03-2023

I was able to find this search that gives me the number of users(IONS) who disconnected 10 or more times however it gives me the total based on time. I would like to display a daily number for 30 days in a line chart. For example Monday there were 10 users who disconnected over 10 time and so on for the rest of week. I can't seem to get the timechart to work with this:

index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=Host1 OR host=host2)
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds
| stats count by Device IONS
| where count >= 10
| appendpipe [|stats count as IONS | eval Device="Total"]

FelixLeh · ‎11-03-2023

If I understand you correctly the query should work like this:

index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=Host1 OR host=host2)
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds
| eventstats count as failed_count by Device IONS
| where failed_count>=10
| timechart dc(IONS) as IONS span=1d

This will show you the amount of user with more than 10 failed logons on each day.

View solution in original post

Madmax · ‎11-03-2023

That's exactly what I needed!!! Thank you very much.

FelixLeh · ‎11-06-2023

I'm glad I was able to help!

FelixLeh · ‎11-03-2023

If I understand you correctly the query should work like this:

index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=Host1 OR host=host2)
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds
| eventstats count as failed_count by Device IONS
| where failed_count>=10
| timechart dc(IONS) as IONS span=1d

This will show you the amount of user with more than 10 failed logons on each day.

Madmax · ‎11-06-2023

I spoke too soon. It appears that the numbers are not accurate. It shows the proper number if I set the time picker to last 24 hours but once I select last 30 days the number for yesterday increase by hundreds.

FelixLeh · ‎11-07-2023

My bad. I forgot to add a time variable to the eventstats. By disregarding time the query checks whether a user has more than 10 failed logins over the entire search span. If your data already has a date stamp then you can use that. Alternatively you could adjust the query like this:

index=gbts-vconnection sourcetype=VMWareVDM_debug "onEvent: DISCONNECTED" (host=Host1 OR host=host2)
| rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds
| eval temp_date = strftime(_time, "%Y-%m-%d")
| eventstats count as failed_count by IONS,temp_date
| where failed_count>=10
| timechart dc(IONS) as IONS span=1d

Madmax · ‎11-07-2023

That worked like a charm!! Thanks again!

Add daily stats to Search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation