Splunk Search

Need help with Timechart command

Anthonylucian
Path Finder

Hey all, so im trying to generate a time chart. If i perform the the stats command to validate the number of state I get the number im looking for with this query.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| stats count(state) as Fixed by cve

So now I wanted to transform the count of state over to a timechart but when I do this I get no data at all.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

 

Im pretty new to the timechart command, any help would be greatly appreciated!

 

Thanks!

Labels (1)
Tags (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote is appreciated.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

timechart needs the _time field to work with but the initial stats command does not pass this through

aasabatini
Motivator

Hi @Anthonylucian 

 

when you use stats comand you report only the fields reported on your search:

try to put state on stats comand like this

|stats latest(*) AS * by ip, pluginID,state,Fixed
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

or you can try like this

|stats latest(*) AS * values(state) as state, values(Fixed) as Fixed by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Anthonylucian
Path Finder

Didnt work for me, but thanks for the help!

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote is appreciated.

Anthonylucian
Path Finder

Thank you!

You all are always so fast to reply!

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...