How to create timechart with multiple values?

NDabhi21 · ‎03-13-2023

Hello!
I'm trying to make a timechart day wise action by unique user for the proxy logs like this one below, but I'm unable add action field as column.

Below query i had build . please suggest command to archive this requirement .

_time	Action/User	Raj	Jane	Tom
2023-03-11T00:00:00.000+0000	Permitted	1	1	1
2023-03-11T00:00:00.000+0000	Block	0	2	4

Query was build which generate above result without action column

| from datamodel:web
| timechart span=1d count(actions) as Actions by user useother=0 limit=10
| addcoltotals

woodcock · ‎04-06-2023

First, accelerate your Web DM, then do this:

| tstats count
FROM datamodel=Web 
BY Web.action Web.user _time span=1d
| rename Web.* AS *
| eval _{action} = count
| fields - action count
| timechart useother=0 limit=10 span=1d sum(_*) AS * BY user

ITWhisperer · ‎03-13-2023

| bin _time span=1d
| stats count by _time User Action
| eval {User}=count
| fields - count User
| stats values(*) as * by _time Action

NDabhi21 · ‎04-06-2023

Could you please suggest another option, above one is not helpful

How to create timechart with multiple values?

using Enterprise Security

SplunkTrust | Where Are They Now - Michael Uschmann

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1