Hello
im trying to count the number of events of each alert
the alerts are saved in a lookup file which looks like this:
creation_time eventtype kv_key max_time min_time status tail_id uuids
1580820272 csm-cbb 5f401 1580820272 1578293527 Open N8
7fd5b533
when im running this query im getting no results found
| inputlookup kv_alerts_prod
| eval kv_key=_key
| convert ctime(creation_time) AS _time
| timechart span=1d count by _key
what am i missing ?
thanks
try
| inputlookup kv_alerts_prod
| eval kv_key=_key
| rename creation_time AS _time
| timechart count by _key span=1d limit=0
Hi @sarit_s,
it should be sufficient to rename creation_time in -time because it's already in epochtime,
| inputlookup kv_alerts_prod
| eval kv_key=_key
| rename creation_time AS _time
| timechart span=1d count by _key
Another things: I suppose that your lookup is a KV Store, so _key is a unique key, so it shouldn't be possible to have more values for each!
Then why did you used eval kv_key=_key in your search?
Ciao.
Giuseppe
Hey
thanks for your reply
it is now returning results but it shows only 10 ids and "OTHER" column.. and it is counting to the "OTHER" column..
how can i list all of them ?
i used eval since the _key is hidden and its the only way for me to show it
Hi @sarit_s,
you can display all the values in timechart using the option "useother=false" in the timechart command (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Timechart ), but if you have too many values there could be an error in visualization.
As I said, anyway you'll have always the count=1 for each value because _key is a unique key, maybe you should think to a different visualization.
ciao.
Giuseppe
Hello
thanks for your reply
i think you are right
so, how can i count the number of events for each alert id ?
Hi @sarit_s,
as I said alert_id (_key) is a unique key, so it isn't possible to have two rows with the same _key!
if you want a stat, you have to identify another field to aggregate values. e.g. eventtype.
Ciao.
Giuseppe
ok so i think i will count by uuids but i need to 'group by' by _key since each _key has multiple uuids and i want to know the sum of all the uuids for specific _key
how can i use 'group by' with timechart ?
Hi @sarit_s,
if you use "timechart count BY _key" you are grouping by _key, but the problem is that _key is a unique value so you'll always count=1.
You have to find a different field for grouping.
Ciao.
Giuseppe