Splunk Search

TimeChart not working properly

kiran_mh
Explorer

hi,

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | stats latest(count) as Count latest(trend) as trend | eval alert=if(trend > Count, "yes", "no")

i have the above query which has three fields count , trend and alert

But i am not able to get the values for the three fields for the last 7 days i.e i want the values for the three fields to displayed along with date for last 7 days

Thanks in advance

Tags (1)
0 Karma

kiran_mh
Explorer

Thank you.

One more thing, we have the following query

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend |stats latest(count) as count latest(trend) as trend | eval alert=if(trend > count, "yes", "no")

But in this query the timechart is not working , we are not getting the _time field.

Thanks in advance

0 Karma

sundareshr
Legend

Try this. Since you are using sma2 for your trendline, you will not see trend for the latest event.

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | eval alert=if(trend > Count, "yes", "no")
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...