Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I plot events returned from my search on a scatter graph over time?

SecureIA
Path Finder
‎03-01-2016 02:19 AM

Hi helpful people,

I wish to plot login events on a scatter graph. I would like to show when logins have occurred and on what host. (preferably color can symbolize a certain host if that is possible). Here is my search below:

host=??? NOT host=??? NOT host=??? NOT username=??? NOT username=??? NOT username=??? NOT username=??? "new session"

This search returns all the login events, but I cannot seem to understand how to use the scatter graphs in Splunk.

Any help would be truly appreciated.

0 Karma
Reply

jplumsdaine22
Influencer
‎03-01-2016 02:45 AM

Hello,

Welcome to splunk. If you have not already done so I highly recommend going through the search tutorial. It will take you a few hours but you will learn a great deal! http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchTutorial/WelcometotheSearchTutorial

First up your search has some redundant terms. Because you have a positive term for host, there is no need to specify NOT host, as host can only have a single value. I would write it like this: 

 host=??? AND "new session" NOT (username=??? OR username=??? OR username=??? OR username=???)

In this case, to generate data for the visualisation yu will need a reporting command. Lets say your events contain a field called foo, then your search should be something like this:

 host=??? AND "new session" NOT (username=??? OR username=??? OR username=??? OR username=???)  | stats count(foo) by username

Then when you select the visualization tab your scatter plot should populate. Your actual reporting search will depend on what data you have and how you want to present it - as I said if you do the search tutorial it will show you what to do.

0 Karma
Reply

SecureIA
Path Finder
‎03-01-2016 05:27 AM

I have read much of it and I am becoming more and more familiar with Splunk with each passing week. Trouble is that I have never been able to successfully implement an idea on a scatter graph.

The main issue I'm having is that I'm trying to plot against time. Therefore, may I ask whether a timechart be more suitable?

0 Karma
Reply

JMichaelis
Path Finder
‎03-01-2016 06:04 AM

In this case a timechart would be better, for example:
| timechart span=1h count(foo)
if you want to plot all events with the field foo each hour or
| timechart span=1h count(foo) by username
if you want to see a line for each username.

Reply

jplumsdaine22
Influencer
‎03-01-2016 09:05 AM

Yep do what @JMichaelis said - you should get the results you're after.

See http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Timechart for more specifics

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...