Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use timechart command for the below query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use timechart command for the below query
divyathota
New Member
03-07-2019
09:49 PM
This is the query i m using:
query1:
sourcetype=tanium earliest=-24h query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&-Last-Boot-Time---Mac-OSX-to-Splunk" Uptime="1 days" OR Uptime="Less than 1 day" NOT Last_Logged_In_User="*adm"| table Computer_Name Last_Logged_In_User OS_Boot_Time Last_Reboot| eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)| dedup LastReboot,Last_Logged_In_User| stats count by Computer_Name,Last_Logged_In_User | where count>2
i need a trend analysis for this query for last 30 days.
I also did this:
query2:
sourcetype=tanium query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&-Last-Boot-Time---Mac-OSX-to-Splunk" NOT Last_Logged_In_User="*adm" | eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)| dedup LastReboot,Last_Logged_In_User| timechart span=1d count |eval day = strftime(_time,"%d %b %y , %a") |chart sum(count) by day
But, this gives me the entire number of events.
Can anyone help me how to add required condition from query1 to query2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-10-2019
08:20 PM
Like this?
index=YouShouldAlwaysSpecifyIndexValues AND ((sourcetype=tanium AND query="User-Sessions-and-Boot-Time-Details-from-Windows") OR (query="User-current-session-details-&-Last-Boot-Time---Mac-OSX-to-Splunk" AND NOT Last_Logged_In_User="*adm"))
| eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)
| dedup LastReboot,Last_Logged_In_User
| bin _time span=1d
| eventstats count BY Computer_Name,Last_Logged_In_User _time
| where count>2
| timechart span=1d count
| eval day = strftime(_time,"%d %b %y , %a")
| chart sum(count) by day
NOTE: I may not have done the parentheses correctly but you should NEVER EVER mix AND and OR without parentheses!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
03-10-2019
10:31 AM
@divyathota, is the following what you are looking for?
sourcetype=tanium earliest=-24h query="User-Sessions-and-Boot-Time-Details-from-Windows" OR query="User-current-session-details-&-Last-Boot-Time---Mac-OSX-to-Splunk" Uptime="1 days" OR Uptime="Less than 1 day" Last_Logged_In_User!="*adm"
| eval LastReboot = coalesce(OS_Boot_Time, Last_Reboot)
| dedup LastReboot,Last_Logged_In_User
| bin _time span=1d
| stats count by _time, Last_Logged_In_User, Computer_Name
| search count>2
| timechart sum(count) as Total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
skalliger
Motivator
03-10-2019
09:27 AM
If you want a trendline, you might want to use trendline instead of chart. This one does what you want. Look at the examples in the docs.
Also, you might want to use Last_Logged_In_User!="*adm" instead of NOT Last_Logged_In_User="*adm" if you're always expecting a user in your events.
Edit: In your first query, that table command is kind of useless. You can remove it If you're after speeding up the query, replace it with fields and put only the needed events in.
Skalli
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Maximizing the Value of Splunk ES 8.x
Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...
Operationalizing TDIR: Building a More Resilient, Scalable SOC
Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
Introducing .conf Stories Series!
“.conf Stories” Series – First Feature: Rich Mahlerwein
Every year .conf brings together some of the most ...
