Re: How to post process this query to display time...

lsy9891 · ‎09-13-2019

Hi,

I have this query that I use as a base search query.

host=NETWEBA* sourcetype=iis NOT("ErrorGuid") cs_uri_stem="/order20/api/order/confirmation*" (sc_status="2**" OR sc_status="3**") "GET" | stats distinct_count(eo) by cs_host

In my post-process query I want to distinct_count(eo) and display it in a timechart by hour. So I wrote this

fields _time | timechart span=1h count(eo) as Number_of_Orders

But no chart is displayed even if I added the time field?

gcusello · ‎09-13-2019

Hi lsy9891,
after the stats command, you have only the fields you used (in you case eo and cs_host) so if you want to run a timechart you have to use also _time taking it using the values option.
The problem is that probably you'll have more than one _time so you have to decide which one is more important, e.g you could take the first one with earliest(_time) AS _time or the last one latest(_time) AS _time.

In addition, just some hint:

use always the index=something option because your search will be faster,
in stats command use always the AS after dc or other options,
if you use the fields command before the timechart, you can use only the fields that are in the list, so you cannot use eo.

In other words, something like this:

index=your_index host=NETWEBA* sourcetype=iis NOT("ErrorGuid") cs_uri_stem="/order20/api/order/confirmation*" (sc_status="2**" OR sc_status="3**") "GET" 
| stats earliest(_time) AS _time distinct_count(eo) AS eo by cs_host

| timechart span=1h count(eo) as Number_of_Orders

Bye.
Giuseppe

How to post process this query to display timechart instead?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?