Timechart for multiple search total

utk123 · ‎03-08-2021

Hello,

I want total of multiple searches in timechart per week.

My search in simple format last 90 days:

| inputlookup abcd.csv | search host=*CC* | dedup host | stats count(host) as "List1"
| appendcols
[| inputlookup efgh.csv | search host=*AA* | dedup host | stats count(host) as "List2"]
| appendcols
[| inputlookup xyz1.csv | search host=*BB* | dedup host | stats count(host) as "List3"]
| eval Total=List1+List2+List3
| timechart span=w@1w sum(Total) as "Hosts"

If I run it without last timechart line, then it gives me total for 90 days or 1 week, but I need same results calculated weekly using timechart, and display total per week.

kamlesh_vaghela · ‎03-08-2021

@utk123

timechart command will work with _time field. Does your lookups has any date time column like host_created_date , etc... ?

https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Timechart

scelikok · ‎03-08-2021

Hi @utk123,

Assuming you have _time field in all your lookup files you can try something like below;

| inputlookup abcd.csv where host="*CC*" | eval list="List1"
| inputlookup append=t efgh.csv where host="*AA*" | eval list=coalesce(list,"List2")
| inputlookup append=t xyz1.csv where host="*BB*" | eval list=coalesce(list,"List3")
| bin _time span=w@1w 
| stats dc(host) as host_count by list _time
| timechart span=w@1w sum(host_count) as Total

If this reply helps you an upvote is appreciated.

utk123 · ‎03-08-2021

I get below error:

Error in 'inputlookup' command: This command must be the first command of a search.

scelikok · ‎03-08-2021

Do you have anything before the search you sent us? If yes, we should find another way to do it.

If this reply helps you an upvote is appreciated.

Timechart for multiple search total

eval

timechart

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI