Splunk Search

How to edit my search to count a certain event, then group that count by another field in a time chart?

jegreene
New Member

Variables :
LoginString
Connections
UT=10
UT=45

Essentially, I want to grab the login string where UT=45and then tie that LoginString to the Connections. I want to then count the number of times UT=10 happens on that same connection, and group that count by LoginString in a timechart

[01/May/2015:20:39:47 -0400] Connections=12345  - RESULT error=0 UT=10 nentries=0 etime=0.000000
 [01/May/2015:20:39:47 -0400] Connections=12345  random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="randomString"
 [01/May/2015:20:39:47 -0400] Connections=12345  - RESULT error=0 UT=10 nentries=0 etime=0.000000
 [01/May/2015:20:39:47 -0400] Connections=223333  - RESULT error=0 UT=10 nentries=0 etime=0.000000
 [01/May/2015:20:39:47 -0400] Connections=223333  random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
 [01/May/2015:20:40:47 -0400] Connections=55555  - RESULT error=0 UT=10 nentries=0 etime=0.000000
 [01/May/2015:20:40:47 -0400] Connections=55555  random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"
 [01/May/2015:20:40:47 -0400] Connections=55555  - RESULT error=0 UT=10 nentries=0 etime=0.000000
 [01/May/2015:20:40:47 -0400] Connections=55555  - RESULT error=0 UT=10 nentries=0 etime=0.000000
 [01/May/2015:20:40:47 -0400] Connections=55555  random=1 - RESULT err=0 UT=45 nentries=0 etime=0.000000 LoginString="veryUnRandom"

In this case, the timechart should have 3 dots with 2 of them being the same color.

randomstring would have 2 and veryUnRandom would have 1 for the first dot and 3 for the second dot

I am close in that I am using eventstats values(LoginString) as LoginStringby conn | where tag=10| timechart span=1h count by LoginString, but it's giving me the connection instead.

Any advice?

0 Karma

lquinn
Contributor

Hi jegreene, I tried out the search you suggested above on the data you supplied and I got what you wanted ... the three points plotted over time and separated by LoginString. 2 and 1 for the first time point and 3 for the second. Have you had a look at it as a column chart? Are there definitely no typos? Is it perhaps the span?

0 Karma

maciep
Champion

You're asking to do a timechart with a one hour span, which means that in your sample events the aggregate will be calculated over the 8pm hour. And you're only grouping by LoginString, which has two distinct values. So you'll only have 2 points on the timechart, one for each LoginString. You can't have 3 points for 2 values. That's where the aggregate comes into play (count in this case). It will perform the aggregate for each group by field and display the result on the graph.

So what exactly would you like to see? You could concatenate LoginString with Connections and then group by that result. That would leave you with 3 values for the group by field and so you would see each of those points on your graph

Does that make sense?

0 Karma

jegreene
New Member

x = time
y = number of connections where UT=10
group by = login string

Those are the three variables.

Makes sense?

Something is wrong in my logic because I am only getting the connections

Essentially the connections should be replaced by the login string

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...