How to use timechart to display whether a log exis...

JohnCM8181 · ‎05-24-2023

I am trying to write a search that displays a table that shows whether a log in cloud watch exists or not every 15 minutes over a 5 hour period. The caveat being that I would like it to show a 0 for time intervals that don’t have the log even if they’re in the future. I’m also having trouble formatting the result table so that the time intervals are the columns/x axis and the count is row/y-axis.

Any help would be greatly appreciated, thanks!

yuanliu · ‎05-25-2023

Assuming that you are using line chart, and you want the value to be 1 when log exists and 0 when there is no log during the bucket, something like this will do

| tstats count where source=cloud_log earliest=-3h latest=+2h by _time span=15m
| timechart sum(eval(if(count > 0, 1, 0))) as has_log
| fillnull value=0

If you only want to display line on the zero axis and don't care how the column look like, you can skip fillnull, just set visualization to touch zero.

How to use timechart to display whether a log exists or not over a certain time range in 15 minute buckets?

chart

count

eval

table

timechart

What’s New & Next in Splunk SOAR

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

September Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

How to use timechart to display whether a log exists or not over a certain time range in 15 minute buckets?