How to create timechart with multiple values?

NDabhi21 · ‎03-13-2023

Hello!
I'm trying to make a timechart day wise action by unique user for the proxy logs like this one below, but I'm unable add action field as column.

Below query i had build . please suggest command to archive this requirement .

_time	Action/User	Raj	Jane	Tom
2023-03-11T00:00:00.000+0000	Permitted	1	1	1
2023-03-11T00:00:00.000+0000	Block	0	2	4

Query was build which generate above result without action column

| from datamodel:web
| timechart span=1d count(actions) as Actions by user useother=0 limit=10
| addcoltotals

woodcock · ‎04-06-2023

First, accelerate your Web DM, then do this:

| tstats count
FROM datamodel=Web 
BY Web.action Web.user _time span=1d
| rename Web.* AS *
| eval _{action} = count
| fields - action count
| timechart useother=0 limit=10 span=1d sum(_*) AS * BY user

ITWhisperer · ‎03-13-2023

| bin _time span=1d
| stats count by _time User Action
| eval {User}=count
| fields - count User
| stats values(*) as * by _time Action

NDabhi21 · ‎04-06-2023

Could you please suggest another option, above one is not helpful

How to create timechart with multiple values?

using Enterprise Security

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM