Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

timechart returning no results

sarit_s
Communicator
‎01-12-2021 05:09 AM

Hello

im trying to count the number of events of each alert 
the alerts are saved in a lookup file which looks like this:

creation_time	eventtype	kv_key	max_time	min_time	status	tail_id	uuids
1580820272	csm-cbb	5f401	1580820272	1578293527	Open	N8	
7fd5b533

 

when im running this query im getting no results found

| inputlookup kv_alerts_prod
| eval kv_key=_key
| convert  ctime(creation_time) AS _time
| timechart span=1d count by _key

 

what am i missing ?

thanks

Labels (3)
Labels
0 Karma
Reply

General_Talos
Path Finder
‎01-12-2021 05:54 AM

try

| inputlookup kv_alerts_prod
| eval kv_key=_key
| rename creation_time AS _time
| timechart count by _key span=1d limit=0
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-12-2021 05:20 AM

Hi @sarit_s,

it should be sufficient to rename creation_time in -time because it's already in epochtime,

| inputlookup kv_alerts_prod
| eval kv_key=_key
| rename creation_time AS _time
| timechart span=1d count by _key

Another things: I suppose that your lookup is a KV Store, so _key is a unique key, so it shouldn't be possible to have more values for each!

Then why did you used eval kv_key=_key in your search?

Ciao.

Giuseppe

0 Karma
Reply

sarit_s
Communicator
‎01-12-2021 05:26 AM

Hey

thanks for your reply

it is now returning results but it shows only 10 ids and "OTHER" column.. and it is counting to the "OTHER" column.. 
how can i list all of them ?

i used eval since the _key is hidden and its the only way for me to show it

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-12-2021 06:53 AM

Hi @sarit_s,

you can display all the values in timechart using the option "useother=false" in the timechart command (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Timechart ), but if you have too many values there could be an error in visualization.

As I said, anyway you'll have always the count=1 for each value because _key is a unique key, maybe you should think to a different visualization.

ciao.

Giuseppe

0 Karma
Reply

sarit_s
Communicator
‎01-12-2021 08:23 AM

Hello
thanks for your reply

i think you are right

so, how can i count the number of events for each alert id ? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-12-2021 09:04 AM

Hi @sarit_s,

as I said alert_id (_key) is a unique key, so it isn't possible to have two rows with the same _key!

if you want a stat, you have to identify another field to aggregate values. e.g. eventtype.

Ciao.

Giuseppe

0 Karma
Reply

sarit_s
Communicator
‎01-12-2021 11:04 AM

ok so i think i will count by uuids but i need to 'group by' by _key since each _key has multiple uuids and i want to know the sum of all the uuids for specific _key

how can i use 'group by' with timechart ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-13-2021 04:16 AM

Hi @sarit_s,

if you use "timechart count BY _key" you are grouping by _key, but the problem is that _key is a unique value so you'll always count=1.

You have to find a different field for grouping.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...