Splunk Search

TimeChart multiple Fields

santorof
Communicator

I am trying to do a time chart that would show 1 day counts over 30 days comparing the total amount of events to how many events had blocked or allowed associated. The action field is in text and not in integers. It seems like time chart does not like taking a reoccurring count out of a text field broken down by day. I had tried converting the action field into a num by | convert num(action) but I am still getting an error of action being invalid.

|  eval action=case(action="blocked","Blocked",action="notified","Allowed")  |  timechart span=1d 
count by sourcetype,action
Tags (3)
0 Karma
1 Solution

santorof
Communicator

I got the output I was looking for through this:

...| timechart span=1month count by action | appendcols [ search ... | timechart span=1month count by sourcetype ]

This shows me the total amount of events compared to the action. The only question I have is If I am doing a month span from November to December is there going to be a sum of all the total # of events in November that leads to that final # I can see for the 1st of December? Or does it just look at the total events for only the first day in November and the first day in December.

View solution in original post

santorof
Communicator

I got the output I was looking for through this:

...| timechart span=1month count by action | appendcols [ search ... | timechart span=1month count by sourcetype ]

This shows me the total amount of events compared to the action. The only question I have is If I am doing a month span from November to December is there going to be a sum of all the total # of events in November that leads to that final # I can see for the 1st of December? Or does it just look at the total events for only the first day in November and the first day in December.

woodcock
Esteemed Legend

The fact that it shows the fist day just after midnight is normal; it signifies that this is for the entire month.

You should accept your answer.

0 Karma

woodcock
Esteemed Legend

@jeffland is correct in why yours will not work. You can also try this:

... | eval sourcetype_action = sourcetype . "::" . case(action="blocked","Blocked",action="notified","Allowed") | timechart span=1d count BY  sourcetype_action
0 Karma

santorof
Communicator

Would the chart command work? Then adding in the _time field associated with each line

0 Karma

woodcock
Esteemed Legend

Try this:

 ... | eval sourcetype_action = sourcetype . "::" . case(action="blocked","Blocked",action="notified","Allowed", true(), "N/A") | timechart span=1d count BY  sourcetype_action
0 Karma

santorof
Communicator

Tried this out and still having the issue of only one of the lines spiking per day. I see blocked activity but no overall activity. Over a 7 day period no two lines rise on the same day.

0 Karma

woodcock
Esteemed Legend

I do not see any way for this search NOT to work as it should. Perhaps I am misunderstanding your complaint? Please restate and give example data on what is wrong.

0 Karma

santorof
Communicator

So on the timechart there are three lines Allowed Blocked and N/A with N/a being all activity I assume. For each day across the timechart there is only one line that is rising. For example on the 29th of October The blocked lined shows 4 blocked events. If there are 4 blocked events then there should be 4 events on the N/A line as well but I am not seeing it. Also looking further into my data im timecharting there was a day where there was both an allowed and blocked event. The Timechart is only showing the one blocked event

0 Karma

woodcock
Esteemed Legend

The value N/A is for those events in the dataset that have NEITHER action="blocked" NOR action="notified". It is a catch-all in case there are other types of action values. So it does seem that this is working.

0 Karma

santorof
Communicator

Tried this and it seems like its doing what I need it do. However its showing me blocked or allowed action during a day where there was no activity according to Null. The null field is the sourcetype I believe .

0 Karma

santorof
Communicator

I renamed sourcetype to account for null. I ran a search against my sourcetype and saw I had 4 events on November 4th but no spikes for the sourcetype and 4 allowed events. It seems that only one spike in one of the eval's per day is allowed through this method.

0 Karma

jeffland
SplunkTrust
SplunkTrust

The problem is that you can't split by more than two fields with a chart command. timechart already assigns _time to one dimension, so you can only add one other with the by clause.

You could do something like this:

... | eval action=case(action="blocked","Blocked",action="notified","Allowed") | bin span=1d _time | stats count by _time sourcetype action

(which halfway does explicitly what timechart does under the hood for you) and see if that is what you want. I suggest you read up on sideviews answer here for some more detail.

0 Karma

santorof
Communicator

Tried this and the eval never happens. Its stat'd by the action field. Also the action field showed no events.

0 Karma

jeffland
SplunkTrust
SplunkTrust

Uhm, I'm not sure if I understand you correctly. What do your raw events look like, and what do you want them to look like?

0 Karma

santorof
Communicator

My sourcetype has a field called action that can be either blocked or notified. In a timechart fashion I want to show the amount of blocked notified and total events associated with my sourcetype. I tried the code you gave me and there are a couple different things that happened. Only the total count of events was produced, the eval function dident occur and the chart is still showing action, and the chart is not a true way to look at trend lines because it does not account for days that have no events. It will only chart days that have events.

0 Karma
Get Updates on the Splunk Community!

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...