Hi Fellow Splunkers,
I have a search that is using lookup tables to show how many of our hosts are reporting. When I run the query, it populates the number for me, but it doesn't draw the trend line and i haven't been able to find a way to enable it, unfortunately. Best advice I can find is to run a timechart, but having a hard time converting this over.
| `asset_eventcount` | search (`get_category(pci)`) () tag= expected | sort 0 - lastTime | `uitime(firstTime)` | `uitime(lastTime)` | eval last_logged = round((now() - lastTime)/86400) | replace -1 with 0 in last_logged | eval last_logged = if(last_logged<30, "Logging", last_logged) | eval last_logged = if(last_logged>30, "Stopped Logging", last_logged) | eval last_logged = if(isnull(last_logged) OR last_logged="", "Never Logged", last_logged) | stats count by last_logged | where last_logged="Logging" | fields count
We have a master list of thousands of hosts, and one of our dashboards has a single value visualization for active hosts, inactive hosts, and never before seen hosts. We'd like to visualize it with a trend to see if new hosts have been added, or to see if any have stopped logging at a quick glance.
In order to do a timechart, you need to have a _time.
You also need to be charting a consistent metric, not words.
Regardless of that, I'm not sure what a trend line on this data would really tell you.
To a degree, this data is the reverse of a trend... or the shadow of the inverse of a trend not happening...
Related trends that might be mapped
How many servers were reporting on each day.
How many servers were NOT reporting on each day.
How many cumulative server-non-reporting days have accrued as/of each date
What exactly do you want the trendline to tell you?