Splunk Search

How to post process this query to display timechart instead?

lsy9891
Engager

Hi,

I have this query that I use as a base search query.

host=NETWEBA* sourcetype=iis NOT("ErrorGuid") cs_uri_stem="/order20/api/order/confirmation*" (sc_status="2**" OR sc_status="3**") "GET" | stats distinct_count(eo) by cs_host

In my post-process query I want to distinct_count(eo) and display it in a timechart by hour. So I wrote this

fields _time | timechart span=1h count(eo) as Number_of_Orders

But no chart is displayed even if I added the time field?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi lsy9891,
after the stats command, you have only the fields you used (in you case eo and cs_host) so if you want to run a timechart you have to use also _time taking it using the values option.
The problem is that probably you'll have more than one _time so you have to decide which one is more important, e.g you could take the first one with earliest(_time) AS _time or the last one latest(_time) AS _time.

In addition, just some hint:

  • use always the index=something option because your search will be faster,
  • in stats command use always the AS after dc or other options,
  • if you use the fields command before the timechart, you can use only the fields that are in the list, so you cannot use eo.

In other words, something like this:

index=your_index host=NETWEBA* sourcetype=iis NOT("ErrorGuid") cs_uri_stem="/order20/api/order/confirmation*" (sc_status="2**" OR sc_status="3**") "GET" 
| stats earliest(_time) AS _time distinct_count(eo) AS eo by cs_host

| timechart span=1h count(eo) as Number_of_Orders

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...