Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart of events first appearance

josephpe
Explorer
‎05-20-2021 05:55 PM

I am trying to find events based on when they were initially logged and grouped by some column. For example,  from the below table, I want find those total count of unique "keyId" that logged first group by "parent1" and using timechart

April 20 | A01 | 2  (DATT-001, DATT-002 first appeared in May )
May 20 | A02 | 1  

Basically first appearance of "keyId" grouped by parent1 and shown by timeline

_timekeyIdparent1parent2parent3statuseventdetails
2020-04-19T23:47:21.000+10:00DATT-001A01B01C01Pass 
2020-04-20T2:47:21.000+10:00DATT-001A01B01C01Fail 
2020-05-20T2:47:21.000+10:00DATT-001A01B01C01Fail 
2020-06-20T2:47:21.000+10:00DATT-001A01B01C01Fail 
2020-04-20T2:47:21.000+10:00DATT-002A01B01C01Fail 
2020-05-20T2:47:21.000+10:00DATT-002A01B01C01Fail 
2020-05-20T2:47:21.000+10:00DATT-003A02B01C01Fail 

 

Any help please ?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:17 PM 
| stats earliest(_time) as _time by keyid parent1
| bin span=1mon _time
| stats count by _time parent1

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:17 PM 
| stats earliest(_time) as _time by keyid parent1
| bin span=1mon _time
| stats count by _time parent1
Reply
Solved! Jump to solution

josephpe
Explorer
‎05-21-2021 12:30 AM

Thank you for the query @ITWhisperer , the output has a lot of data even though the bin is specified by 1 mon, is that problem due the _time having the min and second level details. Basically not grouped by month.

2020-10-01 00:11:59

Tried to add timechart to the above query but it comes out empty, am I missing anything here ?


| timechart span=1mon count by name_4

or what should I do to get a month wise group on the data.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2021 12:50 AM

The span=1mon sets all the times to the beginning of the relevant month so minute and second detail is removed. The number of events is down to the combination of keyid and parent1. The stats command has already gathered the data by time (month) keyid parent and count, adding timechart is then charting these results, so for example, there will only be one result for name_4 per month i.e. count equals 1. The problem with timechart is you only have two axis date/time being one axis, count being the other, you then have series based on one field, whereas you as looking for series based on two fields (keyid and parent1). In order to be able to do a timechart, you need to create a new field based on these two fields and chart these. Having said that, if you create the field after the stats in my example, you can then use xyseries _time field count

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...