Solved: Timechart based on field value (aggregated event c...

flle · ‎05-05-2012

Hi,

I get events from a source which already aggregates events. Examples:

Apr 24 2012 09:59:59,event_name=FWALL: Matched By Firewall, event_count=5,src_ip=199.80.55.144,src_port=80,src_country=Hong Kong,dst_ip=192.168.1.2,dst_port=22628,dst_country=Switzerland,action=mitigate,proto=TCP

Apr 24 2012 09:59:59,event_name=PROTO: HTTP Header Section Too Long, event_count=11,src_ip=212.71.127.101,src_port=80,src_country=Switzerland,dst_ip=192.168.1.2,dst_port=52003,dst_country=Switzerland,action=monitor,proto=TCP

So for statistics on total event count I need to evaluate / sum the number in the event_count field.
So how can I timechart on event_name but evaluate the event_count field rather than the actual number of events collected?

Thanks !

Ayn · ‎05-05-2012

If you want the sum of the values in the event_count field for some interval, just use the statistical function sum.

... | timechart sum(event_count) by event_name

View solution in original post

Ayn · ‎05-05-2012

If you want the sum of the values in the event_count field for some interval, just use the statistical function sum.

... | timechart sum(event_count) by event_name

Timechart based on field value (aggregated event count) rather than number of events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation