Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with Timechart command

Anthonylucian
Path Finder
‎04-01-2021 07:34 AM

Hey all, so im trying to generate a time chart. If i perform the the stats command to validate the number of state I get the number im looking for with this query.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| stats count(state) as Fixed by cve

So now I wanted to transform the count of state over to a timechart but when I do this I get no data at all.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

 

Im pretty new to the timechart command, any help would be greatly appreciated!

 

Thanks!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-01-2021 07:40 AM

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-01-2021 07:48 AM

timechart needs the _time field to work with but the initial stats command does not pass this through

Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-01-2021 07:40 AM

Hi @Anthonylucian 

 

when you use stats comand you report only the fields reported on your search:

try to put state on stats comand like this

|stats latest(*) AS * by ip, pluginID,state,Fixed
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

or you can try like this

|stats latest(*) AS * values(state) as state, values(Fixed) as Fixed by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Solved! Jump to solution

Anthonylucian
Path Finder
‎04-01-2021 07:51 AM

Didnt work for me, but thanks for the help!

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-01-2021 07:40 AM

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Anthonylucian
Path Finder
‎04-01-2021 07:50 AM

Thank you!

You all are always so fast to reply!

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
li.common.scroll-to.top