Splunk Search

Help with Timechart splunk

Amir
Engager

Hey All

I have this search, and I want two results on my visualization. I want to see both "Method" and "User". What is missing here

index=XXX sourcetype="XXX:XXX:message" data.logName="projects/*/logs/cloudaudit.googleapis.com%2Factivity" data.resource.labels.project_id IN (*) AND (
data.resource.type IN(*) (data.protoPayload.methodName IN ("*update*","*patch*","*insert*" ) AND data.protoPayload.authorizationInfo{}.permission IN ("*update*","*insert*"))
OR (data.resource.type IN(*) (data.protoPayload.methodName IN ("*create*", "*insert*") AND data.protoPayload.authorizationInfo{}.permission="*create*"))
OR (data.resource.labels.project_id IN (*) AND data.resource.type IN(*) data.protoPayload.methodName IN (*delete*)))
| eval name1='data.protoPayload.authorizationInfo{}.resourceAttributes.name'
| eval name2='data.protoPayload.authorizationInfo{}.resource'
| eval Name=if(name1="-", name2,name1)
|search Name!="-"
| rename data.protoPayload.methodName as Method, data.resource.type as "Resource Type", data.protoPayload.authorizationInfo{}.permission as Permission, data.timestamp as Time, data.protoPayload.authenticationInfo.principalEmail as User, data.protoPayload.requestMetadata.callerIp as "Caller IP"
| timechart count by Method
Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try changing to line graph, set the format to zero or connect (not gap), then switch back to column chart

View solution in original post

0 Karma

Amir
Engager

@ITWhisperer Amazing thanks a lot. 
Just another question, if i want to search users that ends in @xxx.com
I still want to use the same search but want to sort it to only users that ends with @xxx.com

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does something like this work for you?

| bin span=30m _time
| stats count by _time Method User
| eventstats sum(count) as Method_count by _time Method
| eventstats sum(count) as User_count by _time User
| eval {Method}=Method_count
| eval {User}=User_count
| fields - count *_count Method User
| timechart values(*) as *
0 Karma

Amir
Engager

Hey looks much better now.
Can I make it nicer in somehow, the vizualization? 

Amir_0-1658395526574.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try changing to line graph, set the format to zero or connect (not gap), then switch back to column chart

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...