Splunk Search

How to display events in chronological order on a graph?

DEAD_BEEF
Builder

I am displaying the number of bytes out per hour for a single user. When I attempt to graph this for the last 24 hours, the Visualization keeps listing the x-axis (each hour) in numerical order.

e.g.: I run the query at 1500 (3PM), I expect data from yesterday 1500 - today 1500
15, 16, 17, ... 24, 1, 2.... 14, 15

But what I keep getting instead is
0, 1, 10, 11, 12...19, 2, 20, 21...4, 5, 6, 7

How can I get the data to display in the chronological order (oldest to newest)?

I have tried the following sorts to no avail:

sort _time
sort - _time
sort - Time
sort 0 _time
sort 0 - _time
sort 0 - Time

query: index=bro sourcetype=bro_http src_ip=1.2.3.4 | bucket _time span=1h | stats sum(bytes_out) by date_hour | rename sum(bytes_out) AS "Bytes out/hour" | sort _time

Tags (3)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

May be using timechart instead of "bucket..stats" resolve this. Timechart will give output in chronological order.

index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour"

Update:
Another option

index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour" | eval time=strftime(_time,"%H.%M") | table time "Bytes out/hour"

Updated:
for multiple src_ip

index=bro sourcetype=bro_http src_ip=1.2.3.4 OR src_ip=5.6.7.8 OR src_ip=9.10.11.12| timechart span=1h sum(bytes_out) as "Bytes out/hour" by src_ip | eval time=strftime(_time,"%H.%M") | fields - _time| table time *

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

May be using timechart instead of "bucket..stats" resolve this. Timechart will give output in chronological order.

index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour"

Update:
Another option

index=bro sourcetype=bro_http src_ip=1.2.3.4 | timechart span=1h sum(bytes_out) as "Bytes out/hour" | eval time=strftime(_time,"%H.%M") | table time "Bytes out/hour"

Updated:
for multiple src_ip

index=bro sourcetype=bro_http src_ip=1.2.3.4 OR src_ip=5.6.7.8 OR src_ip=9.10.11.12| timechart span=1h sum(bytes_out) as "Bytes out/hour" by src_ip | eval time=strftime(_time,"%H.%M") | fields - _time| table time *

DEAD_BEEF
Builder

Thank you again! I'm working out your responses line by line to really understand it.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Removing the _time field (replacing it with a regular field) make it a regular (x,y) chart.

For multiple IP address, see the last updated answer.

DEAD_BEEF
Builder

The second query is exactly what I was looking for! When I've used timecharts in the past, you cannot dictate the number of "ticks" on the x-axis (like in your first suggestion) which is why I was using buckets, yet the second query shows every hour. What about the second query forces it to show each tick mark?

EDIT: Also, could you suggest a way to graph this for 3 source IP addresses (3 lines showing bytes out per hour)?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...