Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart returning no results

sarit_s
Communicator
‎01-12-2021 05:09 AM

Hello

im trying to count the number of events of each alert 
the alerts are saved in a lookup file which looks like this:

creation_time	eventtype	kv_key	max_time	min_time	status	tail_id	uuids
1580820272	csm-cbb	5f401	1580820272	1578293527	Open	N8	
7fd5b533

 

when im running this query im getting no results found

| inputlookup kv_alerts_prod
| eval kv_key=_key
| convert  ctime(creation_time) AS _time
| timechart span=1d count by _key

 

what am i missing ?

thanks

Labels (3)
Labels
0 Karma
Reply

General_Talos
Path Finder
‎01-12-2021 05:54 AM

try

| inputlookup kv_alerts_prod
| eval kv_key=_key
| rename creation_time AS _time
| timechart count by _key span=1d limit=0
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-12-2021 05:20 AM

Hi @sarit_s,

it should be sufficient to rename creation_time in -time because it's already in epochtime,

| inputlookup kv_alerts_prod
| eval kv_key=_key
| rename creation_time AS _time
| timechart span=1d count by _key

Another things: I suppose that your lookup is a KV Store, so _key is a unique key, so it shouldn't be possible to have more values for each!

Then why did you used eval kv_key=_key in your search?

Ciao.

Giuseppe

0 Karma
Reply

sarit_s
Communicator
‎01-12-2021 05:26 AM

Hey

thanks for your reply

it is now returning results but it shows only 10 ids and "OTHER" column.. and it is counting to the "OTHER" column.. 
how can i list all of them ?

i used eval since the _key is hidden and its the only way for me to show it

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-12-2021 06:53 AM

Hi @sarit_s,

you can display all the values in timechart using the option "useother=false" in the timechart command (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Timechart ), but if you have too many values there could be an error in visualization.

As I said, anyway you'll have always the count=1 for each value because _key is a unique key, maybe you should think to a different visualization.

ciao.

Giuseppe

0 Karma
Reply

sarit_s
Communicator
‎01-12-2021 08:23 AM

Hello
thanks for your reply

i think you are right

so, how can i count the number of events for each alert id ? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-12-2021 09:04 AM

Hi @sarit_s,

as I said alert_id (_key) is a unique key, so it isn't possible to have two rows with the same _key!

if you want a stat, you have to identify another field to aggregate values. e.g. eventtype.

Ciao.

Giuseppe

0 Karma
Reply

sarit_s
Communicator
‎01-12-2021 11:04 AM

ok so i think i will count by uuids but i need to 'group by' by _key since each _key has multiple uuids and i want to know the sum of all the uuids for specific _key

how can i use 'group by' with timechart ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-13-2021 04:16 AM

Hi @sarit_s,

if you use "timechart count BY _key" you are grouping by _key, but the problem is that _key is a unique value so you'll always count=1.

You have to find a different field for grouping.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...