How to Build a Chart

Robert11 · ‎06-15-2022

Hello, the search I am using is below:

Before trying to chart I got 10s of thousands of results, but I would like to create a chart that only displays the below information: "EventCode, EventType, subject, ComputerName, dest, process_exec, process_id"

Why does my original search work but when I try to create chart it doesn't? Everything is done on Windows so Event Code/Types are Windows. Is anyone able to fix my search so it will pull only the data after chart as well as chart it. Thank you!

(Insert Host Name) user="Insert User Name"
| chart EventCode, EventType, subject, ComputerName, dest, process_exec, process_id

gcusello · ‎06-15-2022

Hi @Robert11,

if you want to group you events (that you already displayd in a table) you have to see the following streaming commands:

stats
chart
timechart

you can find all the details and options at https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/WhatsInThisManual

Anyway, if you want to create e.g. a pie chart grouping your events for each of the fields you listed,

you could use something like this (this is an exmple with one of the fields but you can replicate it also for others):

index=wineventlog
| stats count BY EventCode

In other words, you have to define which is the field to use for grouping events and then use stats.

you can also list the values for the other fields, but always indicating one or more grouping field, e.g. :

index=wineventlog
| stats 
   values(eventType) AS eventType 
   values(subject) AS subject
   values(dest) AS dest 
   values(process_exec) AS process_exec 
   values(process_id) AS process_id 
   count 
   BY ComputerName  EventCode

You can also count the occurrences for two fields. e.g. :

index=wineventlog
| chart count OVER ComputerName BY EventCode

Ciao.

Giuseppe

Robert11 · ‎06-16-2022

@gcuselloThe commands you posted will they be going after my search that tables the fields I listed or as new searches entirely? I am doing this specifically for one system/user so I cannot have a broad search of winevents or processes etc. that have run in the last 24 hours (<-- example). I have already tabled said fields listed in my original posting but now I would like to chart them into a bar graph with an x/y axis with the fields being across the x-axis and the y-axis being the amount of hits in my desired search period. or if possible (probably complex) if each field can have dedicated graphs for the information within said field. Currently I am looking at a dozen event codes so if there were a dozen individual graphs for each event code under the entire field EventCode that would be extremely helpful in differentiating what data belongs to which field. Thanks!

gcusello · ‎06-16-2022

Hi @Robert11,

in panels you normally display a table with al events, like the one you already used or panels with charts grouping for one or more fields.

So you should use the same search, and, instead using table, use stats or chart for charting, so answering to your question, you have to use stats or chart instead table.

In addition, to avoid to run the same search in many panels, you could explore the opportunity to use the Post Process Search (https://docs.splunk.com/Documentation/Splunk/8.2.6/Viz/Savedsearches#Post-process_searches_2), in few words, you create a base search that you call from each panel.

Ciao.

Giuseppe

Robert11 · ‎06-16-2022

@gcuselloYes, I did that with the chart command:

(Insert Host Name) user="Insert User Name"
| chart EventCode, EventType, subject, ComputerName, dest, process_exec, process_id

The above search is what I believe you are saying to do? When I use this search it throws an error.

When I do the below search it works and populates a Table correctly:

(Insert Host Name) user="Insert User Name"
| Table EventCode, EventType, subject, ComputerName, dest, process_exec, process_id

So if I use the stats or chart command in place of Table like you are suggesting it will not run properly. Any ideas on why that is? For the sake of your ability to trouble shoot if you put in your computer name and user name (in place of the Insert....) into your own Splunk instance it should display the error I am getting.

gcusello · ‎06-16-2022

Hi @Robert11,

please read the documentation for stats and chart: you have to define what is/are the fields used for grouping and then put them in chart or stats command, as I described in my first answer:

in stats, you have to define what you want to do (count, distinct count, sum or average or max or min or values of a field) and then the fiel/s to use or grouping, e.g.:

your search
| stats count BY EventCode ComputerName

For chart command you have to choose two fieds to use as X and Y axes, e.g.:

your search
| chart count OVER EventCode BY ComputerName

you cannot use chart followed by all the field names.

Ciao.

Giuseppe

fredclown · ‎06-15-2022

That isn't how the chart command works. Are you trying to make a table? is so you would use ...

...your base search
|table field1, field2, field3, field4, etc ...

If you are trying to display a chart what kind of chart are you wanting?

Robert11 · ‎06-16-2022

Hi @fredclown I did make a table of the events after posting this question. What I am trying to do is build a visual bar graph of each of my requested fields across the x axis and on the y axis have the amount of times said field was triggered/occurred. The search/chart would need to be specific to said computer name/user name that I omitted in my original post. Thanks!

How to Build a Chart

chart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!