Splunk Search

How can I use timechart with Where condition and stats?

Alanmas
Explorer

Hello!

I am trying to figure out how to convert an table query into a histogram using timechart(), but I am having issues as no data is flowing (I read that is because when you use stats the value of _time disappear or something).

Here is my old query:

 

 

 

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by source
| where value_1 > 0 AND value_2 > 0
| table source

 

 

 


And this is what I have so far:

 

 

 

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by source
| where value_1 > 0 AND value_2 > 0
| timechart span=1d dc(source) as unique_sources

 

 

 


But not data is flowing, I already tried other ways and I am sure should be something easy that I am not able to figure out 😞

Labels (2)
0 Karma
1 Solution

yeahnah
Motivator

Hi @Alanmas 

That is correct, the stats command summarised/transforms the data stream, so if you want to use a field in subsequent commands then you must ensure the field is based by either grouping (BY clause) or using a function.

In this case, you look to be summarising results on a daily bases so something like this might meet your needs  

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| bin span=1d _time
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by _time source
| where value_1 > 0 AND value_2 > 0
| timechart span=1d dc(source) as unique_sources

Hope that helps

View solution in original post

Alanmas
Explorer

@yeahnah and just out of curiosity, is it possible to create a Multi-Series Line Chart using 2 different queries that works by themselves?

For example:
1 line:

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| bin span=1d _time
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by _time source
| where value_1 > 0 AND value_2 > 0
| timechart span=1d dc(source) as unique_sources

2nd line chart:

index="something" source="*-value*" ("random value 1" OR "*random value 3*" OR "*random value 4*" OR "*random value 5*")
| bin span=1d _time
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 3"))) as value_3,
       count(eval(match(_raw, "random value 4"))) as value_4,
       count(eval(match(_raw, "random value 5"))) as value_5,
       by _time source
| where value_1 > 0 AND (value_3 > 0 OR value_4 OR value_5)
| timechart span=1d dc(source) as unique_sources

 

It looks like it is easier just to split into to 2 billboards, but might be be better to have them in the same one (in case it is possible)

0 Karma

Alanmas
Explorer

Just to answer my own question, yes it is possible just adding union between them 🙂

yeahnah
Motivator

Hi @Alanmas 

That is correct, the stats command summarised/transforms the data stream, so if you want to use a field in subsequent commands then you must ensure the field is based by either grouping (BY clause) or using a function.

In this case, you look to be summarising results on a daily bases so something like this might meet your needs  

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| bin span=1d _time
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by _time source
| where value_1 > 0 AND value_2 > 0
| timechart span=1d dc(source) as unique_sources

Hope that helps

Alanmas
Explorer

@yeahnah THANK YOU!!!

I did not know the usage of bin + by _time

This is exactly what I was looking for!! YOU ARE AWESOME 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...