Solved: How to use the timechart command to get a certain ...

brdr · ‎05-10-2018

I have a lookup table with 3 fields: host, user, p_time

The events in the lookup table will contain 12 months of data. I have converted p_time to epoch format.

Simply, what I'm trying to accomplish is to use timechart command with a span of 1 month using p_time - to view the total number of events each month. As a side note, I would also like to include total number of events over 12 month period.

Any help would be appreciated.

woodcock · ‎05-10-2018

Just add this to the bottom of your existing search:

| eval _time = p_time
| timechart span=1mon count

View solution in original post

woodcock · ‎05-10-2018

Just add this to the bottom of your existing search:

| eval _time = p_time
| timechart span=1mon count

somesoni2 · ‎05-10-2018

And add following after the timechart command to get total events for whole 12 month period

| eventstats sum(count) as TotalEvents

brdr · ‎05-10-2018

Awesome. thank you both (as always) for responding 🙂

woodcock · ‎05-10-2018

Nice tag-team, @somsoni2. So now you and @daljeanis are both stalking me and fixing my silly oversights and mistakes. Thanks for picking up my slack.

macadminrohit · ‎05-10-2018

Is there another slack than the splunk user group slack ?

xpac · ‎05-10-2018

Yeah, the idiom "Pick up someones slack" 😉

How to use the timechart command to get a certain amount of time span in custom field?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...