Splunk Search

Timchart - Search queries

ppurokit
Path Finder

Hi All,

I have the following search queries with me.

index=XXX CISE_Failed_Attempts | timechart span=30m count by CISE_Failed_Attempts | rename NULL as "Failed Authentication Count"

index=XXX CISE_Passed_Authentications | timechart span=30m count by CISE_Passed_Authentications | rename NULL as "Passed Authentications Count"

Is there a way where i could combine both the queries together into a single query like the following

index=XXX CISE_Passed_Authentications OR CISE_Failed_Attempts | timechart span=30m count by CISE_Passed_Authentications , CISE_Failed_Attempts

Individually the search queries work fine. But when i try to do a timechart with two fields it fails.

Please suggest a way to overcome this issue.

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The most naive way to combine the two would be appendcols:

index=XXX CISE_Failed_Attempts | timechart span=30m count by CISE_Failed_Attempts | rename NULL as "Failed Authentication Count"
| appendcols 
[ search index=XXX CISE_Passed_Authentications | timechart span=30m count by CISE_Passed_Authentications | rename NULL as "Passed Authentications Count" ]

Depending on your data, you may be able to combine the two more smartly, for example like this:

index=XXX CISE_Failed_Attempts OR CISE_Passed_Authentications | eval CISE_Combined = coalesce(CISE_Failed_Attempts, CISE_Passed_Authentications) | timechart span=30m count by CISE_Combined

Note, I've assumed that those two fields have reasonable values... I'm doubting that assumption a bit because of your use of the NULL column. Post some sample data to investigate that.

martin_mueller
SplunkTrust
SplunkTrust

What values do those two fields CISE_Failed_Attempts and CISE_Passed_Authentications have that you use to group by? If their values are distinct then combining them before the timechart will still yield their distinct values for each column.

0 Karma

ppurokit
Path Finder

I hope i cant make use of the coalesce command because both are combined together into a single column. But i need both to be separate.

As said i can make use of the said appendcols,but fear that im executing two searches at the same time which could take more time to run.

0 Karma

ppurokit
Path Finder

Thanks for the update. Actually my intention is to combine these into a single query and put it into a summary index using sitimechart command and then again write a query to populate back the dashboard,

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...