cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Mindy_McTiernan
Explorer
Member since: ‎06-28-2022
‎06-03-2024
Community Statistics
Posts 6
Solutions 1
Karma Given 4
Karma Received 0
Member Since ‎06-28-2022
Activity Feed
View All

Re: Word Cloud Not Showing

by in Splunk Search
‎06-03-2024 06:19 AM
‎06-03-2024 06:19 AM
If the word list under your tag cloud is displaying the words you expect to see then you might just need to use the format button to define your field label and value. Next to your visual type click Format. Then enter in your field name 'word' value type 'count and then the font sizes you want. I used 100 and 8. ... View more

Re: Timechart reporting zeros in counts

by in Dashboards & Visualizations
‎01-31-2024 09:14 AM
‎01-31-2024 09:14 AM
Thank you for sharing that link @burwell ! It was hugely helpful. What finally ended up working was the following: The additional where line was key. Thank you for helping me work through this! | eval _time = strptime(Opened_At,"%Y-%m-%d %H:%M:%S") | sort -_time | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")   ... View more

Re: Timechart reporting zeros in counts

by in Dashboards & Visualizations
‎01-30-2024 09:17 AM
‎01-30-2024 09:17 AM
This allows me to create a timechart, but the time picker isn't connecting to it. So if I ask for a 90 day timechart I get all records for the last year vs just the last 90 days worth of data. Is there a fix for that @burwell ? ... View more

Re: Timechart reporting zeros in counts

by in Dashboards & Visualizations
‎01-24-2024 12:33 PM
‎01-24-2024 12:33 PM
 I should add that the format of the Opened_At field is '2023-02-03 15:39:44' ... View more

Timechart reporting zeros in counts

by in Dashboards & Visualizations
‎01-24-2024 11:46 AM
‎01-24-2024 11:46 AM
I am trying to use the following search to make a timechart on security incident sources, but Splunk is reporting zeros for all the counts which I can confirm is NOT accurate at all. I think the issue is because I need to use a different time field for the timeline. Can someone assist me in making this chart work?   index=sir sourcetype=sir | rex field=dv_affected_user "(?<user>[[:alnum:]]{5})\)" | rex mode=sed field=opened_at "s/\.0+$//" | rex mode=sed field=closed_at "s/\.0+$//" | rename opened_at AS Opened_At, closed_at AS "Closed At", number AS "SIR Number", dv_assignment_group AS "Assignment Group", dv_state AS State, short_description AS "Short Description", close_notes AS "Closed Notes", dv_u_organizational_action AS "Org Action", u_concern AS Concern, dv_u_activity_type AS "Activity Type", dv_assigned_to AS "Assigned To" | eval _time=Opened_At | eval Source=coalesce(dv_u_specific_source, dv_u_security_source) | fillnull value=NULL Source | table Source, _time, "SIR Number" | timechart span=1mon count usenull=f by Source   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-03-2024 09:42 AM
Karma given to