Splunk Search

Not able to create a 24hour chart with the table.

theouhuios
Motivator

Hello

I am trying to do a 24hr and 31 days chart for the threshold value which will be as a output of this table. Now the below code gives me threshold value for each workgroup. I now need to create a timechart which mentions about the number of times the threshold for a particular workgroup(A) is exceeded.

index=xxxx search_name="xxxx" | rename record_assignmentGroup as A | eval mybucket=case(date_hour<4,1,date_hour<8,2,date_hour<12,3,date_hour<16,4,date_hour<20,5,date_hour>0,6) | stats count as I by A, mybucket,date_mday,date_month,date_year  | delta I as D  | eval D = abs(D) | eventstats avg(I) as xbar, avg(D) as mbar by A | eval threshold = xbar + (2.66*mbar) | eval threshold=coalesce(threshold,0) | dedup A | fields A threshold | table A threshold

I made use of macro and now the search is

index=xxxx search_name="xxxx"  |  `bucket_incident` | `threshold_incident`| 

It's just a shorter version of the first one.

Output:

A threshold

Regards

theou

Tags (2)
0 Karma

bmacias84
Champion

@theouhuios, Could you explain what your trying to accomplish with your case statment?


eval mybucket=case(date_hour<4,1,date_hour<8,2,date_hour<12,3,date_hour<16,4,date_hour<20,5,date_hour>0,6)

0 Karma

yannK
Splunk Employee
Splunk Employee

if your grouping is per time bucket (mybucket), then keep it at every steps of your commands : stats, fields, etc...
and at the end your probably want |table A mybucket threshold

0 Karma

theouhuios
Motivator

@bmacias84 I updated it now. Any idea on how to solve this.

0 Karma

theouhuios
Motivator

I should have been a bit more clear. Will update the part now.

0 Karma

bmacias84
Champion

I am not sure what you trying to do exactly, but you need to perserve _time to use timechart or to use chart use (chart count over time by x) in your stats command and eventstats.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...