Solved: How to do a timechart from a single panel result?

jip31 · ‎04-27-2022

Hi

I need to do a timechart from a single panel result

In this single panel, I stats events like this

| stats count as PbPerf by s 
| search PbPerf>10
| stats dc(s)

The results of this search is 14 events

Now I need to timechart these 14 events

So I am doing this

| bin _time span=1d 
| stats count as PbPerf by s _time 
| search PbPerf>10
| timechart count span=1h

The first problem I have is that I want to retrieve the 14 events before doing the timechart is that I have to use a span=1d

But of course all the 14 events are grouped with the same _time even if I use a span=1h in the timechart

So how to display a timechart that display a _time value for my 14 events?

Thanks

gcusello · ‎04-27-2022

as I said, if using the BY clause probably you should better analyze your data to understand if the results you're waiting are correct.

Ciao.

Giuseppe

gcusello · ‎04-27-2022

at first, why don't you directly use timechart in you search?

| timechart span=1d count as PbPerf by s
| where PbPerf>10

but anyway, you cannot use before span=1d and then span=1h, because you have the same hour in each date for each day.

Ciao.

Giuseppe

jip31 · ‎04-27-2022

Hi

Your idea is not bad but :

1) the where condition works only if I delete "by s"

2) if I timechart by s, I have only ten results for s

gcusello · ‎04-27-2022

this isn't a problem od the search but of your data, maybe you should use a different threshold.

When you say 14 results are you speking of two weeks or what else?

Ciao.

Giuseppe

jip31 · ‎04-27-2022

it's 14 events

gcusello · ‎04-27-2022

as I said, if using the BY clause probably you should better analyze your data to understand if the results you're waiting are correct.

Ciao.

Giuseppe

gcusello · ‎04-27-2022

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

How to do a timechart from a single panel result?