Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Need help with Timechart command

Anthonylucian
Path Finder
‎04-01-2021 07:34 AM

Hey all, so im trying to generate a time chart. If i perform the the stats command to validate the number of state I get the number im looking for with this query.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| stats count(state) as Fixed by cve

So now I wanted to transform the count of state over to a timechart but when I do this I get no data at all.

|stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

 

Im pretty new to the timechart command, any help would be greatly appreciated!

 

Thanks!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-01-2021 07:40 AM

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-01-2021 07:48 AM

timechart needs the _time field to work with but the initial stats command does not pass this through

Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-01-2021 07:40 AM

Hi @Anthonylucian 

 

when you use stats comand you report only the fields reported on your search:

try to put state on stats comand like this

|stats latest(*) AS * by ip, pluginID,state,Fixed
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

or you can try like this

|stats latest(*) AS * values(state) as state, values(Fixed) as Fixed by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Solved! Jump to solution

Anthonylucian
Path Finder
‎04-01-2021 07:51 AM

Didnt work for me, but thanks for the help!

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-01-2021 07:40 AM

Hi @Anthonylucian,

timechart need _time field to group by events. Your stats command does not output _time field on result set, that is why timechart cannot group and show the events. You can try below;

|stats latest(_time) as _time latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| timechart count(state) as Fixed by cve useother=false
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Anthonylucian
Path Finder
‎04-01-2021 07:50 AM

Thank you!

You all are always so fast to reply!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...