Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart with multiple where like statements

Marco
Communicator
‎08-18-2020 02:29 PM

Hello Guys,

I'm trying to plot multiple values onto a time chart. These values are collected through a Where Like statement.

For Example:

host=* time count(where like(COMMAND,"%  MKDIR%")) as "MKDIR", count(where like(COMMAND,"%  LS%")) as "LS", count(where like(COMMAND,"CHMOD")) as "CHMOD"

the output i'm getting is a blank time chart.

Thank you

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Nisha18789
Builder
‎08-19-2020 08:14 AM

Hi @Marco , I have updated the query , could you try this and see it that works?


...| eval MKDIR=If(Like(COMMAND,"%MKDIR%"),1,0),LS=if(Like(COMMAND,"% LS%"),1,0),CHMOD=if(Like(COMMAND,"%CHMOD%"),1,0)
| timechart sum(MKDIR) as MKDIR sum(LS) as LS sum(CHMOD) as CHMOD

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Nisha18789
Builder
‎08-18-2020 03:19 PM

Hi @Marco have you tried 

host=* COMMAND="* MKDIR*" OR  COMMAND="* LS*" OR COMMAND="*CHMOD*" | timechart  count by COMMAND

Reply
Solved! Jump to solution

Marco
Communicator
‎08-19-2020 07:26 AM

That's a bit closer to what I was looking for except its plotting out users that issued the command versus the count of how many people issued each different command.

What i'm looking for is something more like this:

samp.png

0 Karma
Reply
Solved! Jump to solution
Solution

Nisha18789
Builder
‎08-19-2020 08:14 AM

Hi @Marco , I have updated the query , could you try this and see it that works?


...| eval MKDIR=If(Like(COMMAND,"%MKDIR%"),1,0),LS=if(Like(COMMAND,"% LS%"),1,0),CHMOD=if(Like(COMMAND,"%CHMOD%"),1,0)
| timechart sum(MKDIR) as MKDIR sum(LS) as LS sum(CHMOD) as CHMOD

0 Karma
Reply
Solved! Jump to solution

Marco
Communicator
‎08-19-2020 01:23 PM

Thank you so much it worked!!!! @Nisha18789 

 

 

 

0 Karma
Reply
Solved! Jump to solution

Nisha18789
Builder
‎08-19-2020 07:58 AM

ok, so it appears like the COMMAND field is not just containing the command but the user info as well who requested it ? If so, we can first extract a new field from the COMMAND field to separate out the commands and then perform a timechart on that. Can you share a few values of the COMMAND field?

0 Karma
Reply
Solved! Jump to solution

Marco
Communicator
‎08-19-2020 11:34 AM

Hi @Nisha18789 

Correct the Command field contains a whole string

ex: 

COMMAND="Aug 18 13:01:5RMDIR (userid)  "

COMMAND="Aug 18 13:00:04 MKDIR (JOHNDOE)  "

COMMAND="Aug 18 13:00:06 LS(SALLY)  "

COMMAND="Aug 18 13:00:09 MKDIR (TOM)"

Which is why I originally used the Where Like functions  since in a way it searches the string to see if a part of the string matches the given parameters. Followed by the count function to count each occurrence. 

Unfortunately the solution you suggested gave me a blank time chart. 

 
 

 

0 Karma
Reply
Solved! Jump to solution

Nisha18789
Builder
‎08-19-2020 12:55 PM

@Marco , please try the updated query and let me know if that works.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...