Splunk Search

Help with Timechart search

New Member

Hi there,

I am just trying to get my head around a visualization that I want to create.

Scenario:

To identify outliers in volumes of traffic.

I want to add together the total bytes (to be displayed on the X axis), and display them against days and hours of a given day (to be displayed on the Y axis). On the scatter graph I would like to see a different line for the day of the week.

..| stats sum(bytes) as total_bytes by date_wday, date_hour

This plots each date_wday on the visualization on the same line. I would like them separated so that I would have each individual weekday represented on the visualization.

Hope that makes sense.

0 Karma

Path Finder

In this case it is difficult to show total_bytes on X-axis. You can try below code with date_hour on X-axis, total_bytes on Y-axis and date_wday shown with different colors.

<base query> | rename _time as Time | eval date_wday=strftime(Time,"%d/%m/%Y") | eval date_hour=strftime(Time,"%H") | stats sum(bytes) as total_bytes by date_wday, date_hour | fillnull | where total_bytes>=0 | table date_wday date_hour  total_bytes

alt text

0 Karma

New Member

Apologies, I meant total bytes on the Y and the date_hour on the X - more or less exactly like your visualization.

I used your code, thank you 🙂 but it is not matching any events or sticking any data into tables.

I am going to try and troubleshoot this myself, but if you have any idea why, please let me know 🙂

Thanks

0 Karma

New Member

Blockquote
| rename _time as Time | eval date_wday=strftime(Time,"%d/%m/%Y") | eval date_hour=strftime(Time,"%H") | stats sum(bytes) as total_bytes by date_wday, date_hour | fillnull | where total_bytes>=0 | table date_wday date_hour total_bytes

So because we are eval date_wday and date_hour, I am not able to use them for the functions. Is there a way around this?

0 Karma

Path Finder

I gave u a general solution using index=_internal because I don't know your actual query. If solution matches your requirements then u can modify it as per the need.

0 Karma

New Member

Ok I will give it a go, but the visualization you have generated is perfect.

0 Karma

Engager

Have you tried timechart span=1d count by total_bytes . This should display results on a per-day basis.

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Timechart

0 Karma