Why is timechart not working to show DNS count and...

POR160893 · ‎03-29-2023

Hi,

I am trying to show the number of DNS logs per hour here on a graph with the upper and lower bound lines showing on the same plot.

This is my current query:

| tstats count where index=dns groupby _time span=1h
| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")

| stats avg(count) as lambda
| eval alpha=0.01
| eval lower=lambda/(2*n)
| eval upper=lambda/(2*(1-alpha))

| timechart span=1h sum(count) as count, avg(lower) as lower, avg(upper) as upper

Currently, nothing is outputted:

Can you please help?

Thanks

somesoni2 · ‎03-29-2023

The stats command will summarize and reduce the result to just the 'lambda' field, so your subsequent timechart will not work. You want to keep the output of previous command along with your lambda calculations, so use eventstats instead. (https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Eventstats)

Try something like this

| tstats count where index=dns groupby _time span=1h
| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")
| eventstats avg(count) as lambda
| eval alpha=0.01
| eval lower=lambda/(2*n)
| eval upper=lambda/(2*(1-alpha))

Why is timechart not working to show DNS count and upper/ lower bounds on the same graph?

chart

stats

tstats

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?