Charting Assistance

yepyepyayyooo · ‎01-06-2020

I'm having an issue with a visualization. Works fine if I don't try to do the fancy eval but won't plot out in visualization when I do.

index="bro" sourcetype="bro_conn" dest_ipi_zone="INT" dest_ipi_zone="INT" TERM(1.1.1.1) bytes>=50000
| eval bytes+=case( 
    bytes>=(1024*1024*1024*1024),round(bytes/(1024*1024*1024*1024),0)." TB",
    bytes>=(1024*1024*1024),round(bytes/(1024*1024*1024),0)." GB",
    bytes>=(1024*1024),round(bytes/(1024*1024),0)." MB",
    bytes>=1024,round(bytes/1024,0)." KB",
    1=1,bytes." B")
| lookup dnslookup clientip as dest_ip output clienthost as dest_dns
| eval time=strftime(_time,"%Y/%m/%d %H:%M")
| bucket time span=4h 
| chart values(bytes+) by time dest_dns usenull=f useother=f limit=5

richgalloway · ‎01-06-2020

By "fancy eval" do you mean the eval that creates the 'bytes+' field? If so, have you tried using a field name without '+' in it?

---
If this reply helps you, Karma would be appreciated.

yepyepyayyooo · ‎01-06-2020

Yes, that's just the name of the new field. I named it bytess, bytes1, etc. Doesn't make a difference :'(

richgalloway · ‎01-06-2020

So what is the query that works?

---
If this reply helps you, Karma would be appreciated.

yepyepyayyooo · ‎01-06-2020

I don't know, that's what I'm asking Splunk Answers for.

richgalloway · ‎01-06-2020

"Works fine if I don't try to do the fancy eval ". Please share the part that works fine.

---
If this reply helps you, Karma would be appreciated.

Charting Assistance

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability