Splunk Search

How to display events in chronological order on a graph?

DEAD_BEEF
Builder

I am displaying the number of bytes out per hour for a single user. When I attempt to graph this for the last 24 hours, the Visualization keeps listing the x-axis (each hour) in numerical order.

e.g.: I run the query at 1500 (3PM), I expect data from yesterday 1500 - today 1500
15, 16, 17, ... 24, 1, 2.... 14, 15

But what I keep getting instead is
0, 1, 10, 11, 12...19, 2, 20, 21...4, 5, 6, 7

How can I get the data to display in the chronological order (oldest to newest)?

I have tried the following sorts to no avail:

sort _time
sort - _time
sort - Time
sort 0 _time
sort 0 - _time
sort 0 - Time

query: index=bro sourcetype=bro_http src_ip=1.2.3.4 | bucket _time span=1h | stats sum(bytes_out) by date_hour | rename sum(bytes_out) AS "Bytes out/hour" | sort _time

Tags (3)
1 Solution

somesoni2
Revered Legend

May be using timechart instead of "bucket..stats" resolve this. Timechart will give output in chronological order.

index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour"

Update:
Another option

index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour" | eval time=strftime(_time,"%H.%M") | table time "Bytes out/hour"

Updated:
for multiple src_ip

index=bro sourcetype=bro_http src_ip=1.2.3.4 OR src_ip=5.6.7.8 OR src_ip=9.10.11.12| timechart span=1h sum(bytes_out) as "Bytes out/hour" by src_ip | eval time=strftime(_time,"%H.%M") | fields - _time| table time *

View solution in original post

somesoni2
Revered Legend

May be using timechart instead of "bucket..stats" resolve this. Timechart will give output in chronological order.

index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour"

Update:
Another option

index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour" | eval time=strftime(_time,"%H.%M") | table time "Bytes out/hour"

Updated:
for multiple src_ip

index=bro sourcetype=bro_http src_ip=1.2.3.4 OR src_ip=5.6.7.8 OR src_ip=9.10.11.12| timechart span=1h sum(bytes_out) as "Bytes out/hour" by src_ip | eval time=strftime(_time,"%H.%M") | fields - _time| table time *

View solution in original post

DEAD_BEEF
Builder

Thank you again! I'm working out your responses line by line to really understand it.

0 Karma

somesoni2
Revered Legend

Removing the _time field (replacing it with a regular field) make it a regular (x,y) chart.

For multiple IP address, see the last updated answer.

DEAD_BEEF
Builder

The second query is exactly what I was looking for! When I've used timecharts in the past, you cannot dictate the number of "ticks" on the x-axis (like in your first suggestion) which is why I was using buckets, yet the second query shows every hour. What about the second query forces it to show each tick mark?

EDIT: Also, could you suggest a way to graph this for 3 source IP addresses (3 lines showing bytes out per hour)?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!