Splunk Search

timechart returning no results

sarit_s
Communicator

Hello

im trying to count the number of events of each alert 
the alerts are saved in a lookup file which looks like this:

creation_time	eventtype	kv_key	max_time	min_time	status	tail_id	uuids
1580820272	csm-cbb	5f401	1580820272	1578293527	Open	N8	
7fd5b533

 

when im running this query im getting no results found

| inputlookup kv_alerts_prod
| eval kv_key=_key
| convert  ctime(creation_time) AS _time
| timechart span=1d count by _key

 

what am i missing ?

thanks

Labels (3)
0 Karma

General_Talos
Path Finder

try

| inputlookup kv_alerts_prod
| eval kv_key=_key
| rename creation_time AS _time
| timechart count by _key span=1d limit=0
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sarit_s,

it should be sufficient to rename creation_time in -time because it's already in epochtime,

| inputlookup kv_alerts_prod
| eval kv_key=_key
| rename creation_time AS _time
| timechart span=1d count by _key

Another things: I suppose that your lookup is a KV Store, so _key is a unique key, so it shouldn't be possible to have more values for each!

Then why did you used eval kv_key=_key in your search?

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

Hey

thanks for your reply

it is now returning results but it shows only 10 ids and "OTHER" column.. and it is counting to the "OTHER" column.. 
how can i list all of them ?

i used eval since the _key is hidden and its the only way for me to show it

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sarit_s,

you can display all the values in timechart using the option "useother=false" in the timechart command (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Timechart ), but if you have too many values there could be an error in visualization.

As I said, anyway you'll have always the count=1 for each value because _key is a unique key, maybe you should think to a different visualization.

ciao.

Giuseppe

0 Karma

sarit_s
Communicator

Hello
thanks for your reply

i think you are right

so, how can i count the number of events for each alert id ? 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sarit_s,

as I said alert_id (_key) is a unique key, so it isn't possible to have two rows with the same _key!

if you want a stat, you have to identify another field to aggregate values. e.g. eventtype.

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

ok so i think i will count by uuids but i need to 'group by' by _key since each _key has multiple uuids and i want to know the sum of all the uuids for specific _key

how can i use 'group by' with timechart ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sarit_s,

if you use "timechart count BY _key" you are grouping by _key, but the problem is that _key is a unique value so you'll always count=1.

You have to find a different field for grouping.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...