Re: In pulling stats data via a CSV file to a time...

bablucho · ‎09-21-2018

I'm pulling in stats data via CSV file. I am using a specific column header "LoginTime" as the Date field

I've timecharted to look at the distinct Usernames over a period of time.

base search |timechart dc(Username)

However, the results are doubling up due to _time results which are also showing in unix time.

for e.g
a Username result is found with the Date field result 01/08/2018 22:22:14
and the _time result is 2018-08-31T22:37:50.000+01:00 in the same event.

A timechart period 'All time' outputs this as 2 results:

a result for 31st August and _time result as 2018-01-08T22:22:14.000+00:00

can I switch the _time to display the timechart results as day, month, year? NOT year, day, month.

Vijeta · ‎09-21-2018

Do you want to see distinct user names in a day or hour or whenever they are in event.
You can give span=1d if you are looking for distinct users in a day.
Timechart will consider _time field values only, if there is same user in different events it will be showing it as 2 count.

bablucho · ‎09-24-2018

Hi Vijeta,

I'm running the following SPL
base search| timechart dc(Username) span=1d

the data is being pulled from a file that uses a specific column (LoginTime)as the time field.

the timechart is showing 1 event with 01/08/2018 23:15:29(LoginTime) 1st of August

the timechart is also showing a result for 2018-01-08T23:15:29.000+00:00(_time) 1st of January

it should only show the LoginTime field as the time values not the _time.

Vijeta · ‎09-24-2018

To me both the time look 1st of August and not 1st of January dince date fomat is mm/dd/YYYY .
Try changing the format for _time to the one of Login Time using strptime and strftime.

bablucho · ‎09-21-2018

did you mean base search |eval _time=time|timechart dc(Username)

I'm getting a limited number of events and no timechart visualisation

Sukisen1981 · ‎09-21-2018

sorry I am not very clear on you requirements
How is a different format for _time going to resolve your 'doubling' of timechart results?
Are you trying to use the Date field (login time) to be your time over which you want to build the timechart?
Yes, you are right i meant eval _time=time BUT then i want to see how you are building the field 'time', in other words the eval preceding eval _time=time , ie eval time=??what.
Can you share your query?

bablucho · ‎09-24-2018

How is a different format for _time going to resolve your 'doubling' of timechart results?
because the LoginTime is showing a result in Timechart as 01/08 but the _time value is also in the Timechart showing as 08/01. I want to remove the _time value.

Are you trying to use the Date field (login time) to be your time over which you want to build the timechart?
Yes.

Yes, you are right i meant eval _time=time BUT then i want to see how you are building the field 'time', in other words the eval preceding eval _time=time , ie eval time=??what.
should be equal to Login time field

Can you share your query?
base search| timechart dc(Username) span=1d

Sukisen1981 · ‎09-21-2018

Yes, you can. I did not get your exact requirements, but I do understand that you need to tinker your _time scale to fit your requirements , basically try something like this?base search |eval time=<your formatted time>|eval _time=time|timechart dc(Username)

In pulling stats data via a CSV file to a timechart, why are my results doubling?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!