- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I plot events returned from my search on a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I plot events returned from my search on a scatter graph over time?
Hi helpful people,
I wish to plot login events on a scatter graph. I would like to show when logins have occurred and on what host. (preferably color can symbolize a certain host if that is possible). Here is my search below:
host=??? NOT host=??? NOT host=??? NOT username=??? NOT username=??? NOT username=??? NOT username=??? "new session"
This search returns all the login events, but I cannot seem to understand how to use the scatter graphs in Splunk.
Any help would be truly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Welcome to splunk. If you have not already done so I highly recommend going through the search tutorial. It will take you a few hours but you will learn a great deal! http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchTutorial/WelcometotheSearchTutorial
First up your search has some redundant terms. Because you have a positive term for host, there is no need to specify NOT host, as host can only have a single value. I would write it like this:
host=??? AND "new session" NOT (username=??? OR username=??? OR username=??? OR username=???)
In this case, to generate data for the visualisation yu will need a reporting command. Lets say your events contain a field called foo, then your search should be something like this:
host=??? AND "new session" NOT (username=??? OR username=??? OR username=??? OR username=???) | stats count(foo) by username
Then when you select the visualization tab your scatter plot should populate. Your actual reporting search will depend on what data you have and how you want to present it - as I said if you do the search tutorial it will show you what to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have read much of it and I am becoming more and more familiar with Splunk with each passing week. Trouble is that I have never been able to successfully implement an idea on a scatter graph.
The main issue I'm having is that I'm trying to plot against time. Therefore, may I ask whether a timechart be more suitable?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case a timechart would be better, for example:
| timechart span=1h count(foo)
if you want to plot all events with the field foo each hour or
| timechart span=1h count(foo) by username
if you want to see a line for each username.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep do what @JMichaelis said - you should get the results you're after.
See http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Timechart for more specifics
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
