Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Timechart with multiple where like statements

Marco
Communicator
‎08-18-2020 02:29 PM

Hello Guys,

I'm trying to plot multiple values onto a time chart. These values are collected through a Where Like statement.

For Example:

host=* time count(where like(COMMAND,"%  MKDIR%")) as "MKDIR", count(where like(COMMAND,"%  LS%")) as "LS", count(where like(COMMAND,"CHMOD")) as "CHMOD"

the output i'm getting is a blank time chart.

Thank you

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Nisha18789
Builder
‎08-19-2020 08:14 AM

Hi @Marco , I have updated the query , could you try this and see it that works?


...| eval MKDIR=If(Like(COMMAND,"%MKDIR%"),1,0),LS=if(Like(COMMAND,"% LS%"),1,0),CHMOD=if(Like(COMMAND,"%CHMOD%"),1,0)
| timechart sum(MKDIR) as MKDIR sum(LS) as LS sum(CHMOD) as CHMOD

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Nisha18789
Builder
‎08-18-2020 03:19 PM

Hi @Marco have you tried 

host=* COMMAND="* MKDIR*" OR  COMMAND="* LS*" OR COMMAND="*CHMOD*" | timechart  count by COMMAND

Reply
Solved! Jump to solution

Marco
Communicator
‎08-19-2020 07:26 AM

That's a bit closer to what I was looking for except its plotting out users that issued the command versus the count of how many people issued each different command.

What i'm looking for is something more like this:

samp.png

0 Karma
Reply
Solved! Jump to solution
Solution

Nisha18789
Builder
‎08-19-2020 08:14 AM

Hi @Marco , I have updated the query , could you try this and see it that works?


...| eval MKDIR=If(Like(COMMAND,"%MKDIR%"),1,0),LS=if(Like(COMMAND,"% LS%"),1,0),CHMOD=if(Like(COMMAND,"%CHMOD%"),1,0)
| timechart sum(MKDIR) as MKDIR sum(LS) as LS sum(CHMOD) as CHMOD

0 Karma
Reply
Solved! Jump to solution

Marco
Communicator
‎08-19-2020 01:23 PM

Thank you so much it worked!!!! @Nisha18789 

 

 

 

0 Karma
Reply
Solved! Jump to solution

Nisha18789
Builder
‎08-19-2020 07:58 AM

ok, so it appears like the COMMAND field is not just containing the command but the user info as well who requested it ? If so, we can first extract a new field from the COMMAND field to separate out the commands and then perform a timechart on that. Can you share a few values of the COMMAND field?

0 Karma
Reply
Solved! Jump to solution

Marco
Communicator
‎08-19-2020 11:34 AM

Hi @Nisha18789 

Correct the Command field contains a whole string

ex: 

COMMAND="Aug 18 13:01:5RMDIR (userid)  "

COMMAND="Aug 18 13:00:04 MKDIR (JOHNDOE)  "

COMMAND="Aug 18 13:00:06 LS(SALLY)  "

COMMAND="Aug 18 13:00:09 MKDIR (TOM)"

Which is why I originally used the Where Like functions  since in a way it searches the string to see if a part of the string matches the given parameters. Followed by the count function to count each occurrence. 

Unfortunately the solution you suggested gave me a blank time chart. 

 
 

 

0 Karma
Reply
Solved! Jump to solution

Nisha18789
Builder
‎08-19-2020 12:55 PM

@Marco , please try the updated query and let me know if that works.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...