Re: How to post process this query to display time...

lsy9891 · ‎09-13-2019

Hi,

I have this query that I use as a base search query.

host=NETWEBA* sourcetype=iis NOT("ErrorGuid") cs_uri_stem="/order20/api/order/confirmation*" (sc_status="2**" OR sc_status="3**") "GET" | stats distinct_count(eo) by cs_host

In my post-process query I want to distinct_count(eo) and display it in a timechart by hour. So I wrote this

fields _time | timechart span=1h count(eo) as Number_of_Orders

But no chart is displayed even if I added the time field?

gcusello · ‎09-13-2019

Hi lsy9891,
after the stats command, you have only the fields you used (in you case eo and cs_host) so if you want to run a timechart you have to use also _time taking it using the values option.
The problem is that probably you'll have more than one _time so you have to decide which one is more important, e.g you could take the first one with earliest(_time) AS _time or the last one latest(_time) AS _time.

In addition, just some hint:

use always the index=something option because your search will be faster,
in stats command use always the AS after dc or other options,
if you use the fields command before the timechart, you can use only the fields that are in the list, so you cannot use eo.

In other words, something like this:

index=your_index host=NETWEBA* sourcetype=iis NOT("ErrorGuid") cs_uri_stem="/order20/api/order/confirmation*" (sc_status="2**" OR sc_status="3**") "GET" 
| stats earliest(_time) AS _time distinct_count(eo) AS eo by cs_host

| timechart span=1h count(eo) as Number_of_Orders

Bye.
Giuseppe

How to post process this query to display timechart instead?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!