Splunk Search

Timechart command in lookup or CSV File

ashish9433
Communicator

Hi Team,

I have a scheduled search which generates a lookup file similar to below

alt text

Whenever i run stats command on this data it runs perfectly fine. But whenever i try to run timechart command it doesnt work, like below

search ...| timechart count by image_name
search ... | timechart count(image_name)

or any permutation i try with i get either zero or null but not the actuall count or aggregate function. Basically i am looking to use span/bin on this data but i am unable to do that so thought of using timechart command.

I have properly formatted the time to _time by converting into epoch time and then into %c standard format.

I am not sure why timechart is not working on the lookup/csv file data.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @ashish9433 ,
Can you please try this?

YOUR_SEARCH | eval _time=strptime(_time,"%m/%d/%Y")| timechart count by image_name

Thanks

ashish9433
Communicator

I already did this, the problem is the result is shown as list of all image_name as columns and date as rows with all zero in all the row of all the cloumns and thus the issue!

0 Karma

gcusello
Legend

Hi ashish9433,
what's your need?
do you want to count values or only display them?

if you want to count events or sum values you could use chart command

my_search
| chart count over _time BY image_name

If instead you want only to display values, you could use table command

my_search
| table _time image_name os_name

Bye.
Giuseppe

0 Karma

ashish9433
Communicator

I want to group by span=15d and have a visualization and also use a single value with trend indicator option.
I tried span, bin and timechart none of them is working on lookup data.

0 Karma

tiagofbmm
Influencer

Hey

Please try this option:

| inputlookup csv_timechart.csv
| eval _time=strptime(_time,"%m/%d/%Y")
| timechart count by image_name
0 Karma

ashish9433
Communicator

I already did this, the problem is the result is shown as list of all image_name as columns and date as rows with all zero in all the row of all the cloumns and thus the issue!

0 Karma

tiagofbmm
Influencer

I just copied your entire lookup in the image and tried this myself by creating a .csv.

I don't have zeros in all rows and so it seems that your csv is not well formatted. Can you try what I just did?

Create a csv in a plaintext file:

_time,image_name,os_name
10/01/2018, azure1, CentOS7
10/02/2018, azure1, CentOS7
15/02/2018, azure1, CentOS7
20/02/2018, azure3, CentOS7
10/03/2018, azure3, CentOS7
11/03/2018, azure2, CentOS7
12/03/2018, azure2, CentOS7

Save it like this and to csv_timechart.csv, put it in the lookup folder of the app you are using, and run the command I told you.

Feed us back please

0 Karma

p_gurav
Champion

Can you provide query you are using for converting?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...