Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create TimeSpan Line Chart After Eval-ing

migquinn
Engager
‎06-08-2019 07:21 PM

Do any experienced Splunkers know what needs to be changed to my query below in order to create a TimeSpan Line Chart over say the past 30 days for counts of the four Severity levels created by the Eval command?

index=myIndex source=mySource host=myHost sourcetype=mySourceType | stats count(eval(severity="0" OR severity="1" OR severity="2")) as Low count(eval(severity="3" OR severity="4" OR severity="5")) as Medium count(eval(severity="6" OR severity="7" OR severity="8")) as High count(eval(severity="9" OR severity="10")) as Critical | table Low Medium High Critical | transpose | rename column as Severity "row 1" as Count

I have attached a screenshot and instead of the values on the right-hand side being 1 - 10, I'd like them to be Low, Medium etc...

Thanks in advance

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2019 10:33 AM

Try this untested query:

index=myIndex source=mySource host=myHost sourcetype=mySourceType 
| eval Severity=case(severity="0" OR severity="1" OR severity="2"), "Low", (severity="3" OR severity="4" OR severity="5"), "Medium", (severity="6" OR severity="7" OR severity="8"), "High", (severity="9" OR severity="10"), "Critical") 
| timechart count as Count by Severity
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2019 10:33 AM

Try this untested query:

index=myIndex source=mySource host=myHost sourcetype=mySourceType 
| eval Severity=case(severity="0" OR severity="1" OR severity="2"), "Low", (severity="3" OR severity="4" OR severity="5"), "Medium", (severity="6" OR severity="7" OR severity="8"), "High", (severity="9" OR severity="10"), "Critical") 
| timechart count as Count by Severity
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

migquinn
Engager
‎06-12-2019 04:31 PM

Thanks for the input. It didn't work when I tried it but I took your command, switched it up a little and positioned it further up the query and it worked:

index=myIndex source=mySource host=myHost sourcetype=mySourceType | timechart count(eval(severity="0" OR severity="1" OR severity="2")) as Low count(eval(severity="3" OR severity="4" OR severity="5")) as Medium count(eval(severity="6" OR severity="7" OR severity="8")) as High count(eval(severity="9" OR severity="10")) as Critical

Again, thanks for your help on this!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-15-2019 04:10 AM

@migquinn If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...