Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get line chart(timechart) for 2 fields

dtccsundar
Path Finder
‎11-25-2021 05:44 AM

Hi,

I have to create a trending chart for 30 days using the below search .I am not getting the trending using timechart and chart .

 index=s sourcetype=Fire
| fillnull value=""
| eval trmsc = case(Environment="Production" OR Environment="PSE","Workstations Host Intrusion Detection Prevention Agents Not Reporting")
| rename Reporting_Status as Compliance_Status
| replace Reporting with Compliant "Not Reporting" with Noncompliant "Not Reporting (possibly due to ITAM FQDN field not populated)" with NotReporting "Not Reporting (ITAM FQDN field not populated)" with NotReporting in Compliance_Status
| stats count(eval(Compliance_Status=="Compliant" OR Compliance_Status=="Excluded from reporting, yet is reporting")) as Compliant count(eval(Compliance_Status=="Noncompliant" OR Compliance_Status=="NotReporting" OR Compliance_Status=="Error")) as NonCompliant by trmsc 

| append
[| search index=c sourcetype=Asset
| fillnull value=""
| eval trmsc = case(Cloud_Platform="Azure","Azure Baseline Noncompliance",Cloud_Platform="Aws","AWS Baseline Noncompliance")
| search Account_Environment="PROD" OR Account_Environment="PRD" OR Account_Environment="PSE"
| stats sum(CountOf_Compliant_AssetsTested) as Compliant sum(CountOf_Noncompliant_AssetsTested) as NonCompliant by trmsc]

| eval date_wday=strftime(_time,"%A")
| search date_wday="Monday"
| bin _time span=1d
| eventstats count by trmsc
| chart count(trmsc) over _time by Compliance_Status

Please let me know how to get trending chart for the above search .

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2021 06:42 AM

It's unclear what you're trying to do, especially with this appended search. Since you're doing chart over time by Compliance_Status and you don't seem to have this field in this appended subsearch, you're not using the data generated there very much.

Furthermore:

1) no point in doing bin over time then chart when you have timechart command especially for it

2) append and subsearches can be tricky avoid it if you can.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...