I have a lookup table with 3 fields: host, user, p_time
The events in the lookup table will contain 12 months of data. I have converted p_time to epoch format.
Simply, what I'm trying to accomplish is to use timechart command with a span of 1 month using p_time - to view the total number of events each month. As a side note, I would also like to include total number of events over 12 month period.
Any help would be appreciated.
Just add this to the bottom of your existing search:
| eval _time = p_time
| timechart span=1mon count
Just add this to the bottom of your existing search:
| eval _time = p_time
| timechart span=1mon count
And add following after the timechart command to get total events for whole 12 month period
| eventstats sum(count) as TotalEvents
Awesome. thank you both (as always) for responding 🙂
Nice tag-team, @somsoni2. So now you and @daljeanis are both stalking me and fixing my silly oversights and mistakes. Thanks for picking up my slack.
Is there another slack than the splunk user group slack ?
Yeah, the idiom "Pick up someones slack" 😉