Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I do both filtering and grouping on a timechart?

np75014
Explorer
‎01-16-2015 02:10 AM

My Splunk server is being forwarded events from a remote Windows machine. Those events correspond to device connections and disconnections. Each event corresponds to either a connection or disconnection.

I have a CSV file containing information about those devices. The CSV file's headers looks like this:
DriverName,DeviceManufacturer,DriverVersion,DeviceModel,DeviceCategory

Only DeviceManufacturer and DeviceModel information are available in the forwarded events. The others are not.

This is what I need to do:
** 1.** Display on a timechart the connected devices for every hour during the last day.
2. Filter the displayed data by one or more of the fields of the CSV file that are listed above.
3. Provide the options to group the displayed data by one of the same fields of the CSV file that are listed above.

Example:
List the connected devices every hour during the last day filtered by DeviceManufacturer=X and DeviceModel=Y, grouped by DeviceCategory (See example).

For now I managed to do points 1 and 2, but I cannot combine them with point 3. (I can display the timechart and filter by fields but cannot combine them with the grouping).
I did this using the following search:

eventtype=DRIVER_STATUS_CHANGED | rex "Message=(?.+?) status changed from (?.+?) to (?.+?)\." 
| eval counter=case(to_status="Connected", 1, from_status="Connected", -1, 1==1, 0) 
| timechart span=1m sum(counter) as counter 
| streamstats sum(counter) as counter | eventstats min(counter) as min 
| eval counter=if(min < 0, counter + (min*-1), counter) | fields - min
Reply

Miles333
New Member
‎10-05-2016 04:13 AM

I still have several points to be clarified. First of all, how can this search be represented in a timechart? And I also want to group events by Drivername or None. I guess something's wrong in a command I'm trying. I'll try to check it thoroughly.
Miles - Check http://domyhomeworkonline.net/ with Miles Preskott topic

0 Karma
Reply

lguinn2
Legend
‎01-16-2015 10:53 AM

Sorry, I could not see your image at http://www.filedropper.com/image_5

And something is definitely wrong with the rex command in the your question - it isn't extracting any fields. So I think there may be a cut-and-paste problem there... Try this:

eventtype=DRIVER_STATUS_CHANGED DeviceManufacturer=X and DeviceModel=Y
| rex "Message=(?.+?) status changed from (?<from_status>?.+?) to (?<to_status>?.+?)\." 
| lookup device_lookup DeviceManufacturer DeviceModel
| eval counter=case(to_status="Connected", 1, from_status="Connected", -1, 1==1, 0) 
| bucket span=1m _time
| stats sum(counter) as counter by DeviceCategory _time
| eventstats min(counter) as min by DeviceCategory
| eval counter=if(min < 0, counter + (min*-1), counter) | fields - min
| xyseries _time DeviceCategory counter

You can find more information about Lookups here.

0 Karma
Reply

np75014
Explorer
‎01-18-2015 09:03 AM

Thank you for your answer.

It helped me a lot but I still have some questions in order to really acheive my goal:
- How can I represent these search in a timechart for the last 24 hours or more?
- How can I use the DeviceCategory field as a parameter of the search that can be changed by the user? For example, if i want to group the events by DeviceManufacturer or Drivername or Just None instead?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...