How to edit my search to generate a report of Curr...

wmusch · ‎05-12-2017

Greetings everyone.

I'm trying to do what I think is a simple task, but for some reason it is troubling. I loaded some CSV data into Splunk, and have this search:

Course="MYCOURSE*" Progres=100 | chart count by Course "Current Status"

Now, I get a result of my four courses, and the pass fail state (Current Status).

That is good, now I cant seem to generate this report over time. So basically I would like to see a bar graph, showing the pass/fail state for each course for each month. The trouble I think I'm running into is the use of chart and not timechart, however I seem to have trouble creating a timechart that breaks up the "Current Status" field that could be either pass or fail

Here is an example of the data set:
User User ID Course Course Start Date Course Completion Date Progress Current Average Current Status Time In Course
Jon ID1 Course 1 2/16/2017 16:25 2/17/2017 13:49 100 86 PASS 1h 17m
Doe ID1 Course 1 10/28/2016 3:43 11/7/2016 5:11 100 72 FAIL 107h 32m

woodcock · ‎05-17-2017

Like this:

Course="MYCOURSE*" Progres=100 | eval CourseAndStatus = Course . ":" . $Current Status$ | timechart count BY CourseAndStatus

How to edit my search to generate a report of Current Status over time?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann