Re: a little search assistance

tkerr1357 · ‎03-09-2021

Hello all,

I need some assistance using the search below to produce a timechart of the number of events per day for the last 90 days.

index=wineventlog source="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" EventCode=25
| search Source_Network_Address="*" ComputerName="*" User="*"
| eval "Source IP" = coalesce(Source_Network_Address,"")
| eval clientip=Source_Network_Address | sort- _time
| iplocation "Source IP" | where isnotnull(lat)
| streamstats current=f global=f window=1 first(lat) as next_lat first(lon) as next_lon first(_time) as next_time first(clientip) as next_ip first(Country) as next_country first(Region) as next_region by User
| strcat lat "," lon pointA
| haversine originField=pointA units=mi inputFieldLat=next_lat inputFieldLon=next_lon outputField=distance_miles
|strcat next_lat "," next_lon pointB |eval time_dif=(((next_time - _time)/60)/60), distance_miles=round(distance_miles, 2), time_dif=round(time_dif, 2)

ITWhisperer · ‎03-09-2021

| timechart span=1d count

tkerr1357 · ‎03-10-2021

sorry I forgot to mention I tried that and it only returns the number of events for the most recent day. If I remove the majority of the evals and customization adding that timechart works just fine.

tkerr1357 · ‎03-12-2021

I was able to resolve this but had to completely alter my search

a little search assistance

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation