Splunk Search
Highlighted

TimeChart multiple Fields

Path Finder

I am trying to do a time chart that would show 1 day counts over 30 days comparing the total amount of events to how many events had blocked or allowed associated. The action field is in text and not in integers. It seems like time chart does not like taking a reoccurring count out of a text field broken down by day. I had tried converting the action field into a num by | convert num(action) but I am still getting an error of action being invalid.

|  eval action=case(action="blocked","Blocked",action="notified","Allowed")  |  timechart span=1d 
count by sourcetype,action
Tags (3)
0 Karma
Highlighted

Re: TimeChart multiple Fields

Champion

The problem is that you can't split by more than two fields with a chart command. timechart already assigns _time to one dimension, so you can only add one other with the by clause.

You could do something like this:

... | eval action=case(action="blocked","Blocked",action="notified","Allowed") | bin span=1d _time | stats count by _time sourcetype action

(which halfway does explicitly what timechart does under the hood for you) and see if that is what you want. I suggest you read up on sideviews answer here for some more detail.

0 Karma
Highlighted

Re: TimeChart multiple Fields

Path Finder

Tried this and the eval never happens. Its stat'd by the action field. Also the action field showed no events.

0 Karma
Highlighted

Re: TimeChart multiple Fields

Champion

Uhm, I'm not sure if I understand you correctly. What do your raw events look like, and what do you want them to look like?

0 Karma
Highlighted

Re: TimeChart multiple Fields

Path Finder

My sourcetype has a field called action that can be either blocked or notified. In a timechart fashion I want to show the amount of blocked notified and total events associated with my sourcetype. I tried the code you gave me and there are a couple different things that happened. Only the total count of events was produced, the eval function dident occur and the chart is still showing action, and the chart is not a true way to look at trend lines because it does not account for days that have no events. It will only chart days that have events.

0 Karma
Highlighted

Re: TimeChart multiple Fields

Esteemed Legend

@jeffland is correct in why yours will not work. You can also try this:

... | eval sourcetype_action = sourcetype . "::" . case(action="blocked","Blocked",action="notified","Allowed") | timechart span=1d count BY  sourcetype_action
0 Karma
Highlighted

Re: TimeChart multiple Fields

Path Finder

Tried this and it seems like its doing what I need it do. However its showing me blocked or allowed action during a day where there was no activity according to Null. The null field is the sourcetype I believe .

0 Karma
Highlighted

Re: TimeChart multiple Fields

Path Finder

I renamed sourcetype to account for null. I ran a search against my sourcetype and saw I had 4 events on November 4th but no spikes for the sourcetype and 4 allowed events. It seems that only one spike in one of the eval's per day is allowed through this method.

0 Karma
Highlighted

Re: TimeChart multiple Fields

Path Finder

Would the chart command work? Then adding in the _time field associated with each line

0 Karma
Highlighted

Re: TimeChart multiple Fields

Esteemed Legend

Try this:

 ... | eval sourcetype_action = sourcetype . "::" . case(action="blocked","Blocked",action="notified","Allowed", true(), "N/A") | timechart span=1d count BY  sourcetype_action
0 Karma