- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need help in trending chart with one single line
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help in trending chart with one single line
Hi ,
When i select a value from filter which has both true and false values , i am getting trending lines for both .But when i select a value which has false values and there is 0 True values , i am not getting any lines for both .
My requirement :
When i select a value which has only true values , there should be single trending line showing true values .
Please help me out in this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think you need to check your query
`Server_Reconciliation_Trending` |search $mode_id$ |timechart count by reporting_status
|rename Reporting as r|rename "Not Reporting" as nr|eval T=nr+r|eval nrpct=round((nr/T)*100,3)|eval rpct=round((r/T)*100,3)|rename nrpct as "Not Reporting" rpct as "Reporting"| fields _time "Not Reporting" Reporting
|rename Reporting as r|rename "Not Reporting" as nr but before that you have written timechart count by reporting_status then what you are renaming ? rename works on field i think you are trying to rename field values i.e. values of reporting_status then you must use | replace Reporting WITH r , "Not Reporting" WITH nr IN reporting_status
I think you should check your query first!
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Mayur,
Thanks for ur help. I am getting only yesterdays value for Not reporting trending ,when both( reporting and not reporting) the values.
I am renaming the indexes to reporting and not reporting respectively.
Please assist me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it would be great if you give us sample input and output you want to achieve.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Input : 2 indexes
Output :
_time Reporting Not reporting
08/12 1492 22
09/12 1490 24
.
.
09/01 1485 29
These are o/p.. Is that enough for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=index1 OR index=index2 | timechart span=1d count by reporting_status
Run this for last 7 days or month. You can change span=1d currently i have set it to 1 day
assuming that reporting_status is a filed that contains Reporting and Not reporting value.
let me know if this works!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
