Solved: Show time reports for a count search

fedevietti · ‎11-04-2010

Dear All,

I'm doing a search with a summarize count at the end. The search is the following:

(eventtype="searchVPN" msg="AUT22675*") OR (eventtype="searchDC" EventIdentifier="680") OR (eventtype="searchVPN" msg="AUT22670*") OR (eventtype="searchDC" EventIdentifier="552") | rename user as User | stats count by User | where count > 10 | stats count

that count the number of user that have generat more that 10 event of the specified event type.

I'd like to obtain a column graphic that, with a column every 5 minutes, shows the value of this search. Example given:

9.00 - 9.05 -> a column height 5 (5 user has generated more that 10 events of those type) 9.05 - 9.10 -> a column height 6 etc etc

How can I do this?

Thank you

ziegfried · ‎11-04-2010

(eventtype="searchVPN" msg="AUT22675*") OR (eventtype="searchDC" EventIdentifier="680") OR (eventtype="searchVPN" msg="AUT22670*") OR (eventtype="searchDC" EventIdentifier="552") | rename user as User | bucket _time span=5m | stats count by User,_time | where count > 10 | timechart span=5m count

View solution in original post

ziegfried · ‎11-04-2010

(eventtype="searchVPN" msg="AUT22675*") OR (eventtype="searchDC" EventIdentifier="680") OR (eventtype="searchVPN" msg="AUT22670*") OR (eventtype="searchDC" EventIdentifier="552") | rename user as User | bucket _time span=5m | stats count by User,_time | where count > 10 | timechart span=5m count

fedevietti · ‎11-04-2010

thank you very much

Show time reports for a count search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!