- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you timechart a time-constricted search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heya,
This might be something really simple, but I just can't get my head around how to do it.
I'm using Splunk to estimate the concurrent number of users, by seeing anyone who has logged in in the past 2 hours (which is when you'd need to log back in due to timeouts, etc.). I then need to timechart that across a month to see what was the maximum for each day.
My current search looks like:
source=blah earliest=-2h
| stats dc(ID) AS Users
Help would be most appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ejeny,
Try this ,
source=blah earliest=-1mon@mon
|eval day=strftime(_time,"%d-%b")|timechart span=2h dc(ID) as Users by day useother=f
|untable _time,day,Users|eventstats max(Users) as max by day
|maketable _time,day,Users,max|rename "count: *" as *,"max: *" as *(Max)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ejeny,
Try this ,
source=blah earliest=-1mon@mon
|eval day=strftime(_time,"%d-%b")|timechart span=2h dc(ID) as Users by day useother=f
|untable _time,day,Users|eventstats max(Users) as max by day
|maketable _time,day,Users,max|rename "count: *" as *,"max: *" as *(Max)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the help! It does seem to be what I'm looking for, albeit the format is a bit broken for my purpose. I would ideally want to sort everything by host as well.
source=blah
| timechart span=2h dc(ID) as Users by host
The above gives me a good neat table for every 2h, but I'm a bit confused how you retrieve the maximum. Would it not be possible without the Day field? The end result in your code ends up with each day as it's own line on a graph, making it very unreadable.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ejeny,
As per your question , you need "maximum for each day" and for that we need to have data split across day. If that's not the case , on what basis you need maximum ?
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do still need the maximum per day, however I need to have all data sorted per host as well, ultimately, rather than having each individual day show as a line on a graph.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ejeny, alright, what about this
source=blah
|timechart span=2h dc(ID) as Users by host useother=f
|untable _time,host,Users
|eval day=strftime(_time,"%d-%b")
|eventstats max(Users) as max by day,host
|maketable _time,host,Users,max|rename "count: *" as *,"max: *" as *(Max)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did the trick, thank you!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
