TimeChart not working properly

kiran_mh · ‎08-03-2016

hi,

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | stats latest(count) as Count latest(trend) as trend | eval alert=if(trend > Count, "yes", "no")

i have the above query which has three fields count , trend and alert

But i am not able to get the values for the three fields for the last 7 days i.e i want the values for the three fields to displayed along with date for last 7 days

Thanks in advance

kiran_mh · ‎08-04-2016

Thank you.

One more thing, we have the following query

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend |stats latest(count) as count latest(trend) as trend | eval alert=if(trend > count, "yes", "no")

But in this query the timechart is not working , we are not getting the _time field.

Thanks in advance

sundareshr · ‎08-03-2016

Try this. Since you are using sma2 for your trendline, you will not see trend for the latest event.

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | eval alert=if(trend > Count, "yes", "no")

TimeChart not working properly

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk