- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Unable to draw timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a query that accumulates the total count for host over a 6 period of month. Now when I am trying to draw time chart for it ,I am unable to do so.It shows no result .
| savedsearch "r1"
| top 10 event by host | sort-count | eventstats sum(count) as TotalNumber| eval PercentOfTotal = round(100 * count / TotalNumber,2). "%"
| stats list(entity) as "Entity" list(count) as "Count", sum(count) as "Total" by event
| sort-Total
| addinfo
| eval rank=1 | accum rank | sort +num(rank) | head (rank <=10) | fields rank, host,event, Entity, Count,Total | eval Entity=mvindex(Entity,0,9)
| eval Count=mvindex(Count,0,9) | eval Percent=mvindex(Percent,0,9)
|timechart span=1d useother=f count by host
Can you please help in drawing timechart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart requires _time in order to function, but your "stats" commands don't pass _time through. Assuming your saved search includes _time, try this:
| savedsearch "r1"
| bin _time span=1d
| top 10 event by host, _time
| sort-count
| eventstats sum(count) as TotalNumber
| eval PercentOfTotal = round(100 * count / TotalNumber,2). "%"
| stats list(entity) as "Entity" list(count) as "Count", sum(count) as "Total" by event, _time
| sort-Total
| addinfo
| eval rank=1
| accum rank
| sort +num(rank)
| head (rank <=10)
| fields rank, host,event, Entity, Count,Total
| eval Entity=mvindex(Entity,0,9)
| eval Count=mvindex(Count,0,9)
| eval Percent=mvindex(Percent,0,9)
| timechart span=1d useother=f count by host
If your saved search has a different time field, then you may need to convert that to _time using strptime.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much ,it worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart requires _time in order to function, but your "stats" commands don't pass _time through. Assuming your saved search includes _time, try this:
| savedsearch "r1"
| bin _time span=1d
| top 10 event by host, _time
| sort-count
| eventstats sum(count) as TotalNumber
| eval PercentOfTotal = round(100 * count / TotalNumber,2). "%"
| stats list(entity) as "Entity" list(count) as "Count", sum(count) as "Total" by event, _time
| sort-Total
| addinfo
| eval rank=1
| accum rank
| sort +num(rank)
| head (rank <=10)
| fields rank, host,event, Entity, Count,Total
| eval Entity=mvindex(Entity,0,9)
| eval Count=mvindex(Count,0,9)
| eval Percent=mvindex(Percent,0,9)
| timechart span=1d useother=f count by host
If your saved search has a different time field, then you may need to convert that to _time using strptime.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey jlemley...The above command is not working, its not showing top10,its just listing alphabetically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much ,it worked
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
