Splunk Search

Not able to create a 24hour chart with the table.

theouhuios
Motivator

Hello

I am trying to do a 24hr and 31 days chart for the threshold value which will be as a output of this table. Now the below code gives me threshold value for each workgroup. I now need to create a timechart which mentions about the number of times the threshold for a particular workgroup(A) is exceeded.

index=xxxx search_name="xxxx" | rename record_assignmentGroup as A | eval mybucket=case(date_hour<4,1,date_hour<8,2,date_hour<12,3,date_hour<16,4,date_hour<20,5,date_hour>0,6) | stats count as I by A, mybucket,date_mday,date_month,date_year  | delta I as D  | eval D = abs(D) | eventstats avg(I) as xbar, avg(D) as mbar by A | eval threshold = xbar + (2.66*mbar) | eval threshold=coalesce(threshold,0) | dedup A | fields A threshold | table A threshold

I made use of macro and now the search is

index=xxxx search_name="xxxx"  |  `bucket_incident` | `threshold_incident`| 

It's just a shorter version of the first one.

Output:

A threshold

Regards

theou

Tags (2)
0 Karma

bmacias84
Champion

@theouhuios, Could you explain what your trying to accomplish with your case statment?


eval mybucket=case(date_hour<4,1,date_hour<8,2,date_hour<12,3,date_hour<16,4,date_hour<20,5,date_hour>0,6)

0 Karma

yannK
Splunk Employee
Splunk Employee

if your grouping is per time bucket (mybucket), then keep it at every steps of your commands : stats, fields, etc...
and at the end your probably want |table A mybucket threshold

0 Karma

theouhuios
Motivator

@bmacias84 I updated it now. Any idea on how to solve this.

0 Karma

theouhuios
Motivator

I should have been a bit more clear. Will update the part now.

0 Karma

bmacias84
Champion

I am not sure what you trying to do exactly, but you need to perserve _time to use timechart or to use chart use (chart count over time by x) in your stats command and eventstats.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...