Re: Dashboard

majilan1

I have a search that looks like this:

index=dog sourcetype=cat earliest=-30d 
[| inputlookup LU1_siem_set_list where f_id=*$pick_f_id$*
| stats values(mc) as search
| eval search="mc=".mvjoin(search," OR mc=")]
| stats latest(_time) by ip.

what i see is :

mc                                             latest(_time)
00.00.01                                  1715477192
00.00.02                                   1715477192                                  
00.00.03                                   1715477192

how to present this in a dashboard with time formatted.

Thanks!

majilan1

Thanks, it does help, but when I'm trying to put it in a column chart it does not display anything except the field names _time and ip.

Am I doing something wrong?

Thanks!

richgalloway

Verify the IP field does not have any null values because will not show results if a groupby field has null values.

---
If this reply helps you, Karma would be appreciated.

richgalloway

If the field is named _time then Splunk will format it automatically.

index=dog sourcetype=cat earliest=-30d 
[| inputlookup LU1_siem_set_list where f_id=*$pick_f_id$*
  | stats values(mc) as search
  | eval search="mc=".mvjoin(search," OR mc=")]
| stats latest(_time) as _time by ip

Otherwise, you can use the convert command to format it.

index=dog sourcetype=cat earliest=-30d 
[| inputlookup LU1_siem_set_list where f_id=*$pick_f_id$*
  | stats values(mc) as search
  | eval search="mc=".mvjoin(search," OR mc=")]
| stats latest(_time) by ip
| convert ctime('latest(_time)')

---
If this reply helps you, Karma would be appreciated.

Dashboard

other

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms