Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get line chart(timechart) for 2 fields

dtccsundar
Path Finder
‎11-25-2021 05:44 AM

Hi,

I have to create a trending chart for 30 days using the below search .I am not getting the trending using timechart and chart .

 index=s sourcetype=Fire
| fillnull value=""
| eval trmsc = case(Environment="Production" OR Environment="PSE","Workstations Host Intrusion Detection Prevention Agents Not Reporting")
| rename Reporting_Status as Compliance_Status
| replace Reporting with Compliant "Not Reporting" with Noncompliant "Not Reporting (possibly due to ITAM FQDN field not populated)" with NotReporting "Not Reporting (ITAM FQDN field not populated)" with NotReporting in Compliance_Status
| stats count(eval(Compliance_Status=="Compliant" OR Compliance_Status=="Excluded from reporting, yet is reporting")) as Compliant count(eval(Compliance_Status=="Noncompliant" OR Compliance_Status=="NotReporting" OR Compliance_Status=="Error")) as NonCompliant by trmsc 

| append
[| search index=c sourcetype=Asset
| fillnull value=""
| eval trmsc = case(Cloud_Platform="Azure","Azure Baseline Noncompliance",Cloud_Platform="Aws","AWS Baseline Noncompliance")
| search Account_Environment="PROD" OR Account_Environment="PRD" OR Account_Environment="PSE"
| stats sum(CountOf_Compliant_AssetsTested) as Compliant sum(CountOf_Noncompliant_AssetsTested) as NonCompliant by trmsc]

| eval date_wday=strftime(_time,"%A")
| search date_wday="Monday"
| bin _time span=1d
| eventstats count by trmsc
| chart count(trmsc) over _time by Compliance_Status

Please let me know how to get trending chart for the above search .

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2021 06:42 AM

It's unclear what you're trying to do, especially with this appended search. Since you're doing chart over time by Compliance_Status and you don't seem to have this field in this appended subsearch, you're not using the data generated there very much.

Furthermore:

1) no point in doing bin over time then chart when you have timechart command especially for it

2) append and subsearches can be tricky avoid it if you can.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...