TimeChart not working properly

kiran_mh · ‎08-03-2016

hi,

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | stats latest(count) as Count latest(trend) as trend | eval alert=if(trend > Count, "yes", "no")

i have the above query which has three fields count , trend and alert

But i am not able to get the values for the three fields for the last 7 days i.e i want the values for the three fields to displayed along with date for last 7 days

Thanks in advance

kiran_mh · ‎08-04-2016

Thank you.

One more thing, we have the following query

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend |stats latest(count) as count latest(trend) as trend | eval alert=if(trend > count, "yes", "no")

But in this query the timechart is not working , we are not getting the _time field.

Thanks in advance

sundareshr · ‎08-03-2016

Try this. Since you are using sma2 for your trendline, you will not see trend for the latest event.

index=msexchange sourcetype="MSExchange:2013:HttpProxy" host="ftlpex02cas01.citrite.net" RpcHttp AND "/rpc/rpcproxy.dll" |timechart span=1d count | trendline sma2(count) as trend | eval alert=if(trend > Count, "yes", "no")

TimeChart not working properly

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

TimeChart not working properly

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases