×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
swedishmike
New Member
Member since: ‎04-08-2014
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-08-2014
Activity Feed
View All

Re: How to create a bar chart that compares values...

by in Splunk Search
‎02-24-2017 10:10 AM
‎02-24-2017 10:10 AM
Actually - it's now showing both Today and Yesterday but I need to work on the sorting/tabulation I think. The idea was to get the bar chart to show the #1 for today with port number and count and in another colour yesterday's #1 with port number and count, then #2 etc etc. Some of them might be the same port but with a different count or they could be different ports altogether. At the moment it sorts on port number so the chart looks a bit weird. It has of course dawned on me that what I'm wanting to do might be impossible. 😉 ... View more

Re: How to create a bar chart that compares values...

by in Splunk Search
‎02-24-2017 09:49 AM
‎02-24-2017 09:49 AM
Many thanks for your reply - but I think something is going wrong somewhere. I only get the "Yesterday - same timeframe" output, with the portnumbers but the count is stuck at 1 for each. Also, just so I get don't misunderstand - the time-range change you made for 'Yesterday - same timeframe" makes that cover the whole day, doesn't it? What I'm after is the same four hours but for the day before if you see what I mean? Cheers! ... View more

Re: How to create a bar chart that compares values...

by in Splunk Search
‎02-24-2017 09:14 AM
‎02-24-2017 09:14 AM
Thanks for your reply but I'm not getting the output I (and probably you) would be expecting. Initially I got the error: "Error in 'top' command: The split by field 'dest_port' cannot be repeated." when I tried your suggestion, after adding a | after "top dest_port by date" it runs through. However, when I run it all I get is values for Yesterday, nothing for today. I'm trying to read up on the logic/functions you've used here to see if I can spot something but I thought I'd let you know about what I see in my end. Cheers! ... View more

How to create a bar chart that compares values ove...

by in Splunk Search
‎02-24-2017 02:29 AM
‎02-24-2017 02:29 AM
I've created a search that displays the top 10 blocked destination ports over the last 4 hours. I've also managed to create a search that not only does that but also shows the top 10 blocked destination ports for the same time period for the previous day. This works, albeit a bit slowly, for me: index=netfw sourcetype="firewall" action!="allowed" earliest=-4h@d latest=now | stats count by dest_port | sort -count | head 10| multikv| eval ReportKey="Last 4 Hours" | append [search index=netfw sourcetype="firewall" action!="allowed" earliest=-2d@d latest=-1d@d | stats count by dest_port | sort -count | head 10 | multikv| eval ReportKey="Yesterday - same timeframe" | eval _time=_time+86400] As I'd (sort of) expect this generates three columns: dest_port, count, ReportKey. If I select Bar Chart in the Visualization tab I actually get two bar charts, 'count' and 'ReportKey'. Only the 'count' one have any data in it. What I'm trying to achieve now is to get a bar chart to work which displays the top 10 for both time periods, if that makes sense? Basically you should be able to look at the chart and see today's data in say yellow and yesterdays in say blue. It might be that port 80 the top blocker today and yesterday but there's a different port (and count) in second. Is this something that is possible to achieve or am I over-reaching again? Also - not sure if this is the most efficient way to do this search so any input on making this quicker as well would be really appreciated. Thank in advance ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM