Solved: How to reduce TimeChart count by minute if bins > ...

subtrakt · ‎01-30-2018

Hi Everyone,

Would like to reduce bin count to 1 for each bin if total bins is greater than 10. (basically I want to flatline a timechart if a trend last longer than 10 minutes)

Here's what I came up with but it's not changing the counts. This will show the timecount in the legend but still can't get it to decrease real count to 1 if bins are > 10

Query:

| bin span=1m  _time | eventstats dc(_time) AS TIMECOUNT by host TYPE  | eval TYPE=host." ".TYPE." 

    | TIMECOUNT=".TIMECOUNT | timechart span=1m count(eval(if(TIMECOUNT>10,count=1,count))) by TYPE limit=0

somesoni2 · ‎01-30-2018

Give this a try

your base search
| bucket span=1m _time | stats count by _time host TYPE 
| eval TYPE=host." ".TYPE."  
| eventstats dc(_time) AS TIMECOUNT by TYPE 
| eval count=if(TIMECOUNT>10,1,count)
| timechart span=1m sum(count) by TYPE limit=0

View solution in original post

somesoni2 · ‎01-30-2018

Give this a try

your base search
| bucket span=1m _time | stats count by _time host TYPE 
| eval TYPE=host." ".TYPE."  
| eventstats dc(_time) AS TIMECOUNT by TYPE 
| eval count=if(TIMECOUNT>10,1,count)
| timechart span=1m sum(count) by TYPE limit=0

subtrakt · ‎01-30-2018

That works. Thanks!

subtrakt · ‎01-30-2018

Added host to eventstats and looks like its working now and keeping the TYPE > 10 bins at 1, everything else normal count. Thanks again!

subtrakt · ‎01-30-2018

Apologies.

Just realized it works but every other TYPE = 1 also. The stuff > 10 buckets should be 1 everything else should keep its original count.

ssadanala1 · ‎01-30-2018

can you elaborate your use case

How to reduce TimeChart count by minute if bins > x?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?