Why does the Timechart command with eval result re...

ivan128 · ‎03-02-2018

Hello, I have the following search that calculates a risk value with eval

index=thing sourcetype=thing name=thing earliest=-60d latest=-7d|bucket _time span=1mon | dedup plugin_family plugin_name host-ip ports{}.port ports{}.protocol ports{}.transport | chart count by plugin_family,severity | stats sum(*) as *| join [search index=thing sourcetype=thing name=thing NOT severity=informational | dedup host-ip | chart count as "TOTAL VULNERABLES HOSTS"| stats values(TOTAL VULNERABLES HOSTS) as VH] | join [search  index=thing sourcetype=thing name=thing | dedup host-ip | chart count as "TOTAL HOSTS" | stats values(TOTAL HOSTS) as TH]| fillnull critical, high,medium,low |eval RiskValue=/Formula/| timechart span=1mon max(RiskValue)

VH,TH and RiskValue show the correct values when I checked them with |fields TH,VH,RiskValue but when I try to timechart the RiskValue it shows 0 results, I suspect its because timechart lacks timestamps to chart the risk values. I tried to use a bucket of 1 month and using span 1 mon in timechart but still there is no visualization. I searched through the forums but it seems every solution to charting an eval is specific to the search and I couldn't find any general rules or solutions that I could work from. Any help is appreciated, thanks.

kmaron · ‎03-02-2018

add by _time to the end of your stats

| stats sum(*) as * by _time

ivan128 · ‎03-02-2018

Tried it and didn't work, I also tried using evalstats insted of stats but to no avail.

Edit: seems like I posted as answer instead of comment, apologies.

kmaron · ‎03-02-2018

I think you have a lot more going on than is necessary, especially the joins and subsearches and chart/stats. I don't have a way to test this so I don't know if it's quite correct but I thin its close?

index=thing sourcetype=thing name=thing earliest=-60d latest=-7d
| bucket _time span=1mon 
| dedup host-ip plugin_family plugin_name host-ip ports{}.port ports{}.protocol ports{}.transport 
| stats count(eval(severity!=informational) as VH, dc(host-ip) as TH, count by plugin_family, severity, _time
| fillnull critical, high,medium,low 
| eval RiskValue=/Formula/
| timechart span=1mon max(RiskValue)

ivan128 · ‎03-02-2018

Thanks for the answer, its missing an ) to close the stats count (eval, at least now it presents the statistics tab, but the risk value is null, checking the values in every field I noticed that the VH (vulnerable hosts) field is 0 in every instance

Edit: unless I'm missing something, the only condition to identify if a host is vulnerable it's if the severity is different from informational correct?

kmaron · ‎03-02-2018

I just noticed you have a chart AND a stats. the chart would be dropping the _time field as well.

kmaron · ‎03-02-2018

you need _time in order to do a timechart so I suspect you're losing your timestamp somewhere. If you add _time to your fields command are there values listed?

ivan128 · ‎03-02-2018

the _time field returns a null value, what @adonio mentioned seems to be the cause, is there a way to keep the _time when using stats?

adonio · ‎03-02-2018

yup, like @kmaron mentioned, you also lose the _time field whet using stats command

Why does the Timechart command with eval result returns empty visualization?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life