Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TimeChart not working properly

kiran_mh
Explorer
‎08-03-2016 03:26 AM

hi,

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | stats latest(count) as Count latest(trend) as trend | eval alert=if(trend > Count, "yes", "no")

i have the above query which has three fields count , trend and alert

But i am not able to get the values for the three fields for the last 7 days i.e i want the values for the three fields to displayed along with date for last 7 days

Thanks in advance

Tags (1)
0 Karma
Reply

kiran_mh
Explorer
‎08-04-2016 12:29 AM

Thank you.

One more thing, we have the following query

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend |stats latest(count) as count latest(trend) as trend | eval alert=if(trend > count, "yes", "no")

But in this query the timechart is not working , we are not getting the _time field.

Thanks in advance

0 Karma
Reply

sundareshr
Legend
‎08-03-2016 06:55 AM

Try this. Since you are using sma2 for your trendline, you will not see trend for the latest event.

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | eval alert=if(trend > Count, "yes", "no")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...