Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timchart - Search queries

ppurokit
Path Finder
‎05-11-2014 08:16 AM

Hi All,

I have the following search queries with me.

index=XXX CISE_Failed_Attempts | timechart span=30m count by CISE_Failed_Attempts | rename NULL as "Failed Authentication Count"

index=XXX CISE_Passed_Authentications | timechart span=30m count by CISE_Passed_Authentications | rename NULL as "Passed Authentications Count"

Is there a way where i could combine both the queries together into a single query like the following

index=XXX CISE_Passed_Authentications OR CISE_Failed_Attempts | timechart span=30m count by CISE_Passed_Authentications , CISE_Failed_Attempts

Individually the search queries work fine. But when i try to do a timechart with two fields it fails.

Please suggest a way to overcome this issue.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-11-2014 08:29 AM

The most naive way to combine the two would be appendcols:

index=XXX CISE_Failed_Attempts | timechart span=30m count by CISE_Failed_Attempts | rename NULL as "Failed Authentication Count"
| appendcols 
[ search index=XXX CISE_Passed_Authentications | timechart span=30m count by CISE_Passed_Authentications | rename NULL as "Passed Authentications Count" ]

Depending on your data, you may be able to combine the two more smartly, for example like this:

index=XXX CISE_Failed_Attempts OR CISE_Passed_Authentications | eval CISE_Combined = coalesce(CISE_Failed_Attempts, CISE_Passed_Authentications) | timechart span=30m count by CISE_Combined

Note, I've assumed that those two fields have reasonable values... I'm doubting that assumption a bit because of your use of the NULL column. Post some sample data to investigate that.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-11-2014 09:47 AM

What values do those two fields CISE_Failed_Attempts and CISE_Passed_Authentications have that you use to group by? If their values are distinct then combining them before the timechart will still yield their distinct values for each column.

0 Karma
Reply

ppurokit
Path Finder
‎05-11-2014 09:45 AM

I hope i cant make use of the coalesce command because both are combined together into a single column. But i need both to be separate.

As said i can make use of the said appendcols,but fear that im executing two searches at the same time which could take more time to run.

0 Karma
Reply

ppurokit
Path Finder
‎05-11-2014 09:39 AM

Thanks for the update. Actually my intention is to combine these into a single query and put it into a summary index using sitimechart command and then again write a query to populate back the dashboard,

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...