Splunk Search

Need help with Timechart command

Anthonylucian
Path Finder

Hey all, so im trying to generate a time chart. If i perform the the stats command to validate the number of state I get the number im looking for with this query.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| stats count(state) as Fixed by cve

So now I wanted to transform the count of state over to a timechart but when I do this I get no data at all.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

 

Im pretty new to the timechart command, any help would be greatly appreciated!

 

Thanks!

Labels (1)
Tags (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

timechart needs the _time field to work with but the initial stats command does not pass this through

aasabatini
Motivator

Hi @Anthonylucian 

 

when you use stats comand you report only the fields reported on your search:

try to put state on stats comand like this

|stats latest(*) AS * by ip, pluginID,state,Fixed
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

or you can try like this

|stats latest(*) AS * values(state) as state, values(Fixed) as Fixed by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Anthonylucian
Path Finder

Didnt work for me, but thanks for the help!

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote and "Accept as Solution" is appreciated.

Anthonylucian
Path Finder

Thank you!

You all are always so fast to reply!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...