Can you help me with an issue I'm having with the ...

james_n · ‎01-24-2019

Hi,

I have data like mentioned below

28-11-01 10:30:13,127 digits=30
28-11-01 07:20:08,240 digits=50
28-11-01 05:01:18,101 digits=60
28-11-01 12:12:22,127 digits=120
09-12-01 12:12:22,127 digits=180
10-01-01 05:01:18,101 digits=500

i want to display the latest digit using a timeline chart. I have written a query like | timechart latest(digits) as latestRecord and it's working fine, but when running this a couple of times in the span of the last 3 months, November months keep changing the output. Like one time, it's displaying 30 — another time 50, 60, 120 like that

if i run multiple times also, expected output:

2018-11 30
2018-12 180
2019-01-500

woodcock · ‎01-27-2019

I believe that your example output is wrong (should be 120 not 30); try this:

| makeresults 
|  eval raw="28-11-01 10:30:13,127 digits=30:::28-11-01 07:20:08,240 digits=50:::28-11-01 05:01:18,101 digits=60:::28-11-01 12:12:22,127 digits=120:::09-12-01 12:12:22,127 digits=180:::10-01-01 05:01:18,101 digits=500"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<_time>.*?) digits=(?<digits>\d+)$"
| eval _time = strptime(_time, "%d-%m-%y %H:%M:%S,%3n")
| sort 0 - _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| bin _time span=1d
| dedup _time

renjith_nair · ‎01-24-2019

@james_n ,

| timechart latest(digits) as latestRecord assigns a auto span to the time window (1d,1mon etc) based on your time selection.

Try setting a fixed span based on your requirement. For e.g. if you want the latest data per month , set as 1 mon or day as 1d

| timechart span=1mon latest(digits) as latestRecord

---
What goes around comes around. If it helps, hit it with Karma 🙂

james_n · ‎01-24-2019

hi @renjith.nair thanks for your response, but time is selected by the user using time picker and i tried as what you said, even though its working same..no change

renjith_nair · ‎01-24-2019

@james_n , that's ok. we just need to set the span. So if we set the span to 1mon as in the above example, the search will pick up the latest digit of that month regardless of what time range user selects. How you define latest ? Is it latest of the month or latest of all time (just 1 value) or latest of the day or latest of another parameter?

---
What goes around comes around. If it helps, hit it with Karma 🙂

james_n · ‎01-24-2019

i would like to display latest digit in a entire month like above mentioned expected output from the mentioned data. i am writing query i.e, | timechart latest(digits) as latestRecord , if i mention span also like | timechart span=1mon latest(digits) as latestRecord , not working its keep changing.

renjith_nair · ‎01-25-2019

If you dont want a time series, you can use stats as well

eval time=strftime(_time,"%Y-%m")|stats latest(digits) as latestRecord by time

---
What goes around comes around. If it helps, hit it with Karma 🙂

Can you help me with an issue I'm having with the latest() function in a timechart?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?