Solved: timechart not showing any result while tstat does

unitrium · ‎09-21-2020

Hi ,

I'm trying to build a single value dashboard for certain metrics. I would like to put it in the form of a timechart so I can have a trend value.

However this search gives me no result :

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity | `drop_dm_object_name("Vulnerabilities")` | where firstTime!=lastTime AND severity!="informational" | eval age=round((lastTime-firstTime)/86400) | timechart span=30d avg(age) by lastTime

Which is strange because I feel like this command is almost the same :

| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,count from datamodel=Vulnerabilities.Vulnerabilities by Vulnerabilities.signature,Vulnerabilities.dest, Vulnerabilities.severity | `drop_dm_object_name("Vulnerabilities")` | where firstTime!=lastTime AND severity!="informational" | eval age=round((lastTime-firstTime)/86400) | bucket lastTime span=30d | stats avg(age) by lastTime

And this one returns me the results that I want. Could anybody help me out getting a timechart out of this ?

ITWhisperer · ‎09-21-2020

timechart is looking to use _time so try

... | eval age=round((lastTime-firstTime)/86400) | eval _time=lastTime | timechart span=30d avg(age)

View solution in original post

ITWhisperer · ‎09-21-2020

timechart is looking to use _time so try

... | eval age=round((lastTime-firstTime)/86400) | eval _time=lastTime | timechart span=30d avg(age)

timechart not showing any result while tstat does

timechart

tstats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?