how to use timechart to to search

perlish · ‎08-07-2012

Hi, i want split the login log by timechart span "30s"
in the every "30s",if the login fail count by one ip is bigger than 5, it`s a alert
Now i want know how many alert in the last 7 days, how can i do?
I use this "[login]" result:fail | timechart span="30s" count by ip | search count > 5 | stats

but it`s uncorrect.

Thank you

perlish · ‎08-08-2012

thank you very much, it have already slove my issue.

Now i want to create a pie

"[login]" result:succeed | bin _time span="30s" | stats count by _time, ip | search count > 5

use this search i will got time,ip,count

i want use only ip and count to create a pie, how to do this?
thank you

sideview · ‎08-08-2012

Here you go. You have to use bin and stats manually, instead of using timechart.

"[login]" result:fail | bin _time span="30s" | stats count by _time, ip | search count > 5 | stats count

perlish · ‎08-08-2012

thank you very much, it have already slove my issue.

Now i want to create a pie

"[login]" result:succeed | bin _time span="30s" | stats count by _time, ip | search count > 5

use this search i will got time,ip,count

i want use only ip and count to create a pie, how to do this? thank you

how to use timechart to to search

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes