Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get line chart(timechart) for 2 fields

dtccsundar
Path Finder
‎11-25-2021 05:44 AM

Hi,

I have to create a trending chart for 30 days using the below search .I am not getting the trending using timechart and chart .

 index=s sourcetype=Fire
| fillnull value=""
| eval trmsc = case(Environment="Production" OR Environment="PSE","Workstations Host Intrusion Detection Prevention Agents Not Reporting")
| rename Reporting_Status as Compliance_Status
| replace Reporting with Compliant "Not Reporting" with Noncompliant "Not Reporting (possibly due to ITAM FQDN field not populated)" with NotReporting "Not Reporting (ITAM FQDN field not populated)" with NotReporting in Compliance_Status
| stats count(eval(Compliance_Status=="Compliant" OR Compliance_Status=="Excluded from reporting, yet is reporting")) as Compliant count(eval(Compliance_Status=="Noncompliant" OR Compliance_Status=="NotReporting" OR Compliance_Status=="Error")) as NonCompliant by trmsc 

| append
[| search index=c sourcetype=Asset
| fillnull value=""
| eval trmsc = case(Cloud_Platform="Azure","Azure Baseline Noncompliance",Cloud_Platform="Aws","AWS Baseline Noncompliance")
| search Account_Environment="PROD" OR Account_Environment="PRD" OR Account_Environment="PSE"
| stats sum(CountOf_Compliant_AssetsTested) as Compliant sum(CountOf_Noncompliant_AssetsTested) as NonCompliant by trmsc]

| eval date_wday=strftime(_time,"%A")
| search date_wday="Monday"
| bin _time span=1d
| eventstats count by trmsc
| chart count(trmsc) over _time by Compliance_Status

Please let me know how to get trending chart for the above search .

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2021 06:42 AM

It's unclear what you're trying to do, especially with this appended search. Since you're doing chart over time by Compliance_Status and you don't seem to have this field in this appended subsearch, you're not using the data generated there very much.

Furthermore:

1) no point in doing bin over time then chart when you have timechart command especially for it

2) append and subsearches can be tricky avoid it if you can.

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...