Solved: help on timechart

jip31 · ‎01-28-2022

hello

I need to do a timechart from a stats count

this stats count is used to pre filter events (sante=OK)

index=toto sourcetype=tutu 
| stats count(hang) as hang, count(crash) as crash, count(web) as web by site 
| eval sante=if((hang>5) AND (crash>2) AND (webduration>=1), "OK","KO")   
| search sante=OK

Now I wonder how to do to timechart these events?

Thanks

ITWhisperer · ‎01-28-2022

Your stats command needs to include some sort of time element

index=toto sourcetype=tutu 
| bin _time span=1h
| stats count(hang) as hang, count(crash) as crash, count(web) as web by _time site 
| eval sante=if((hang>5) AND (crash>2) AND (webduration>=1), "OK","KO")   
| search sante=OK

View solution in original post

ITWhisperer · ‎01-28-2022

Your stats command needs to include some sort of time element

index=toto sourcetype=tutu 
| bin _time span=1h
| stats count(hang) as hang, count(crash) as crash, count(web) as web by _time site 
| eval sante=if((hang>5) AND (crash>2) AND (webduration>=1), "OK","KO")   
| search sante=OK

help on timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation