Splunk Search

Chart

mvasquez21
Explorer

My boss has asked me to create a chart that shows the number of fired alerts (y-axis) by day of the month (x-axis). I suggested we do this as a stacked chart with each alert represented by a different color. I know the alert variable is "ss_name" and i found this expression to create the "date":

convert timeformat="%m-%d" ctime(_time) AS date

I just cant get the correct syntax to get all 3 elements in to the chart. So far i have this:

index=_audit action="alert_fired" | convert timeformat="%m-%d" ctime(_time) AS date | timechart date by ss_name

 

Thanks!

Labels (1)
0 Karma
1 Solution

ITWhisperer
Ultra Champion

Try adding

| xyseries date, ss_name, count

View solution in original post

ITWhisperer
Ultra Champion

How about something like

index=_audit action="alert_fired" | convert timeformat="%m-%d" ctime(_time) AS date | stats count by ss_name, date

Then use a stacked bar chart in your dashboard panel 

0 Karma

mvasquez21
Explorer

i had tried that one already but it puts count and date as the only x-axis items instead of the ss_name (alerts)

Tags (1)
0 Karma

ITWhisperer
Ultra Champion

Try adding

| xyseries date, ss_name, count

View solution in original post

mvasquez21
Explorer

mvasquez21_0-1598626596705.png

 

0 Karma

mvasquez21
Explorer

perfect! thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mvasquez21,

why do you want to complicate the search?

timechart is sufficient for your need:

 

index=_audit action="alert_fired" earliest=-30d@d latest=@d
| timechart span=1d count

 

if you want to know how many alerts you fired for each kind of alert, you could run something like this:

 

index=_audit action="alert_fired" earliest=-30d@d latest=@d
| timechart span=1d count BY ss_name

 

but it depends on the number of different alerts: if they are too many your chart isn't readable.

 

The problem is that you want to run a search on a long time (one month) and, if you have many events, this is a very slow search.

So you could schedule this  search as a report by night and display it very quickly or schedule a search saving results in a summary index and running the search on the summary index.

Ciao.

Giuseppe