Solved: Timechart based on field value (aggregated event c...

flle · ‎05-05-2012

Hi,

I get events from a source which already aggregates events. Examples:

Apr 24 2012 09:59:59,event_name=FWALL: Matched By Firewall, event_count=5,src_ip=199.80.55.144,src_port=80,src_country=Hong Kong,dst_ip=192.168.1.2,dst_port=22628,dst_country=Switzerland,action=mitigate,proto=TCP

Apr 24 2012 09:59:59,event_name=PROTO: HTTP Header Section Too Long, event_count=11,src_ip=212.71.127.101,src_port=80,src_country=Switzerland,dst_ip=192.168.1.2,dst_port=52003,dst_country=Switzerland,action=monitor,proto=TCP

So for statistics on total event count I need to evaluate / sum the number in the event_count field.
So how can I timechart on event_name but evaluate the event_count field rather than the actual number of events collected?

Thanks !

Ayn · ‎05-05-2012

If you want the sum of the values in the event_count field for some interval, just use the statistical function sum.

... | timechart sum(event_count) by event_name

View solution in original post

Ayn · ‎05-05-2012

If you want the sum of the values in the event_count field for some interval, just use the statistical function sum.

... | timechart sum(event_count) by event_name

Timechart based on field value (aggregated event count) rather than number of events

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?