Solved: Search by time, then visualize in

moayadalghamdi · ‎01-27-2021

Hello Splunkers !

i want to write a command that shows a timeline of authentication activities as following:

index=MyIndex eventtype=Authentication user=* action=* src=* | stats count(user) by _time

the output looks like this:

the thing is that the time is in seconds is shown is statistics below:

i want the the command to show count for authentication attempts by minutes not seconds.

Thanks ^_^

bowesmana · ‎01-27-2021

index=MyIndex eventtype=Authentication user=* action=* src=*
| bin _time span=1m
| stats count(user) by _time

OR

index=MyIndex eventtype=Authentication user=* action=* src=*
| timechart span=1m count(user)

bowesmana · ‎01-27-2021

index=MyIndex eventtype=Authentication user=* action=* src=*
| bin _time span=1m
| stats count(user) by _time

OR

index=MyIndex eventtype=Authentication user=* action=* src=*
| timechart span=1m count(user)

moayadalghamdi · ‎01-27-2021

AWESOME !, Thanks ^_^

Search by time, then visualize in