- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a timechart with multiple fields by ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I currently have a search that is appending two more searches to the original for a single line chart that will show the three searches each on a different line. I have looked through documentation and other answer posts, but have yet to find what I'm looking for. I need to be able to rename each line so I can define which is what. From what I have read, the AS command should be renaming, but I'm probably wrong. As a bonus question, is there a way I can define colors for each search that is being done?
index=* sourcetype=fortigate dstcountry="Russian Federation" | timechart span=1hr as Russia by events | append [search index=* sourcetype=fortigate dstcountry="Iran, Islamic Republic of" | timechart span=1hr as Iran by events ] | append [search sourcetype=fortigate dstcountry=China | timechart span=1hr as China by events ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think what you are really looking for is the split by functionality. You should be able to do this using a single search (no subsearches or appends needed) and then do a timechart count by field. Also, if you need to change the value of the dstcountry field to something a little more user-friendly like you have then you can use a case command in eval.
So you'd want to do something like this:
sourcetype=fortigate (dstcountry="Russian Federation" OR dstcountry="Iran, Islamic Republic of" OR dstcountry=China)
| eval dstcounrty=case(dstcountry == "Russian Federation","Russia",dstcountry == "Iran, Islamic Republic of", "Iran", dstcountry == "China","China")
| timechart span=1h count by dstcountry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think what you are really looking for is the split by functionality. You should be able to do this using a single search (no subsearches or appends needed) and then do a timechart count by field. Also, if you need to change the value of the dstcountry field to something a little more user-friendly like you have then you can use a case command in eval.
So you'd want to do something like this:
sourcetype=fortigate (dstcountry="Russian Federation" OR dstcountry="Iran, Islamic Republic of" OR dstcountry=China)
| eval dstcounrty=case(dstcountry == "Russian Federation","Russia",dstcountry == "Iran, Islamic Republic of", "Iran", dstcountry == "China","China")
| timechart span=1h count by dstcountry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dident realize there was no need an append because they were all the same sourcetype. I understand what is going on but with the eval and case command with the two quotes that should be able to change the output name correct? I tried changing both fields when running the search and neither seemed to change it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what you're saying. What do you mean by both fields. Are the values for dstcountry not changing correctly based on the case command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes like you said in the answer the case command in eval should change the value of dstcountry to something more user friendly. So instead of Iran Islamic Republic of I would rather just shorten it to Iran. Currently its defaulting to the Iran Islamic Republic of
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might be an issue with unbalanced quotes or how the field value is showing up. Can you post the search you're using and the data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=fortigate (dstcountry="Russian Federation" OR dstcountry="Iran, Islamic Republic of" OR dstcountry=China OR dstcountry="Syrian Arab Republic" OR dstcountry="Saudi Arabia" ) | eval dstcounrty=case(dstcountry == "Russian Federation","Russia",dstcountry== "Iran, Islamic Republic of", "Iran",dstcountry== "China","China", dstcountry== "Syrian Arab Republic","Syria", dstcountry== "Saudi Arabia","Saudi Arabia" ) | timechart span=1h count by dstcountry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the problem. I had a typo in my original post. The eval field is typed out "dstcounRTy" instead of dstcounTRy. This creates a second field with a similar looking name and leaves the original field unchanged.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh ok. Totally see that. I made the change and its working as intended. Thank you again for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is events a field?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont believe so. I just always assumed either counting by event or events would go by the results or number of events returned
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
