Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get line chart(timechart) for 2 fields

dtccsundar
Path Finder
‎11-25-2021 05:44 AM

Hi,

I have to create a trending chart for 30 days using the below search .I am not getting the trending using timechart and chart .

 index=s sourcetype=Fire
| fillnull value=""
| eval trmsc = case(Environment="Production" OR Environment="PSE","Workstations Host Intrusion Detection Prevention Agents Not Reporting")
| rename Reporting_Status as Compliance_Status
| replace Reporting with Compliant "Not Reporting" with Noncompliant "Not Reporting (possibly due to ITAM FQDN field not populated)" with NotReporting "Not Reporting (ITAM FQDN field not populated)" with NotReporting in Compliance_Status
| stats count(eval(Compliance_Status=="Compliant" OR Compliance_Status=="Excluded from reporting, yet is reporting")) as Compliant count(eval(Compliance_Status=="Noncompliant" OR Compliance_Status=="NotReporting" OR Compliance_Status=="Error")) as NonCompliant by trmsc 

| append
[| search index=c sourcetype=Asset
| fillnull value=""
| eval trmsc = case(Cloud_Platform="Azure","Azure Baseline Noncompliance",Cloud_Platform="Aws","AWS Baseline Noncompliance")
| search Account_Environment="PROD" OR Account_Environment="PRD" OR Account_Environment="PSE"
| stats sum(CountOf_Compliant_AssetsTested) as Compliant sum(CountOf_Noncompliant_AssetsTested) as NonCompliant by trmsc]

| eval date_wday=strftime(_time,"%A")
| search date_wday="Monday"
| bin _time span=1d
| eventstats count by trmsc
| chart count(trmsc) over _time by Compliance_Status

Please let me know how to get trending chart for the above search .

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2021 06:42 AM

It's unclear what you're trying to do, especially with this appended search. Since you're doing chart over time by Compliance_Status and you don't seem to have this field in this appended subsearch, you're not using the data generated there very much.

Furthermore:

1) no point in doing bin over time then chart when you have timechart command especially for it

2) append and subsearches can be tricky avoid it if you can.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...