Splunk Search

Timechart for multiple search total

utk123
Path Finder

Hello,

I want total of multiple searches in timechart per week.

My search in simple format last 90 days:

| inputlookup abcd.csv | search host=*CC* | dedup host | stats count(host) as "List1"
| appendcols
[| inputlookup efgh.csv | search host=*AA* | dedup host | stats count(host) as "List2"]
| appendcols
[| inputlookup xyz1.csv | search host=*BB* | dedup host | stats count(host) as "List3"]
| eval Total=List1+List2+List3
| timechart span=w@1w sum(Total) as "Hosts"

If I run it without last timechart line, then it gives me total for 90 days or 1 week, but I need same results calculated weekly using timechart, and display total per week. 

Labels (2)
Tags (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust
@utk123

timechart command will work with _time field. Does your lookups has any date time column like host_created_date , etc... ?

https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Timechart
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @utk123,

Assuming you have _time field in all your lookup files you can try something like below;

| inputlookup abcd.csv where host="*CC*" | eval list="List1"
| inputlookup append=t efgh.csv where host="*AA*" | eval list=coalesce(list,"List2")
| inputlookup append=t xyz1.csv where host="*BB*" | eval list=coalesce(list,"List3")
| bin _time span=w@1w 
| stats dc(host) as host_count by list _time
| timechart span=w@1w sum(host_count) as Total
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

utk123
Path Finder

I get below error:

Error in 'inputlookup' command: This command must be the first command of a search.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Do you have anything before the search you sent us? If yes, we should find another way to do it.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...