Splunk Search

Need help with Timechart command

Anthonylucian
Path Finder

Hey all, so im trying to generate a time chart. If i perform the the stats command to validate the number of state I get the number im looking for with this query.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| stats count(state) as Fixed by cve

So now I wanted to transform the count of state over to a timechart but when I do this I get no data at all.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

 

Im pretty new to the timechart command, any help would be greatly appreciated!

 

Thanks!

Labels (1)
Tags (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

timechart needs the _time field to work with but the initial stats command does not pass this through

aasabatini
Motivator

Hi @Anthonylucian 

 

when you use stats comand you report only the fields reported on your search:

try to put state on stats comand like this

|stats latest(*) AS * by ip, pluginID,state,Fixed
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

or you can try like this

|stats latest(*) AS * values(state) as state, values(Fixed) as Fixed by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Anthonylucian
Path Finder

Didnt work for me, but thanks for the help!

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote and "Accept as Solution" is appreciated.

Anthonylucian
Path Finder

Thank you!

You all are always so fast to reply!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...