Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart of events first appearance

josephpe
Explorer
‎05-20-2021 05:55 PM

I am trying to find events based on when they were initially logged and grouped by some column. For example,  from the below table, I want find those total count of unique "keyId" that logged first group by "parent1" and using timechart

April 20 | A01 | 2  (DATT-001, DATT-002 first appeared in May )
May 20 | A02 | 1  

Basically first appearance of "keyId" grouped by parent1 and shown by timeline

_timekeyIdparent1parent2parent3statuseventdetails
2020-04-19T23:47:21.000+10:00DATT-001A01B01C01Pass 
2020-04-20T2:47:21.000+10:00DATT-001A01B01C01Fail 
2020-05-20T2:47:21.000+10:00DATT-001A01B01C01Fail 
2020-06-20T2:47:21.000+10:00DATT-001A01B01C01Fail 
2020-04-20T2:47:21.000+10:00DATT-002A01B01C01Fail 
2020-05-20T2:47:21.000+10:00DATT-002A01B01C01Fail 
2020-05-20T2:47:21.000+10:00DATT-003A02B01C01Fail 

 

Any help please ?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:17 PM 
| stats earliest(_time) as _time by keyid parent1
| bin span=1mon _time
| stats count by _time parent1

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:17 PM 
| stats earliest(_time) as _time by keyid parent1
| bin span=1mon _time
| stats count by _time parent1
Reply
Solved! Jump to solution

josephpe
Explorer
‎05-21-2021 12:30 AM

Thank you for the query @ITWhisperer , the output has a lot of data even though the bin is specified by 1 mon, is that problem due the _time having the min and second level details. Basically not grouped by month.

2020-10-01 00:11:59

Tried to add timechart to the above query but it comes out empty, am I missing anything here ?


| timechart span=1mon count by name_4

or what should I do to get a month wise group on the data.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2021 12:50 AM

The span=1mon sets all the times to the beginning of the relevant month so minute and second detail is removed. The number of events is down to the combination of keyid and parent1. The stats command has already gathered the data by time (month) keyid parent and count, adding timechart is then charting these results, so for example, there will only be one result for name_4 per month i.e. count equals 1. The problem with timechart is you only have two axis date/time being one axis, count being the other, you then have series based on one field, whereas you as looking for series based on two fields (keyid and parent1). In order to be able to do a timechart, you need to create a new field based on these two fields and chart these. Having said that, if you create the field after the stats in my example, you can then use xyseries _time field count

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...