Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do timechart on a field that has same name but different alert level?

wuming79
Path Finder
‎07-27-2017 11:40 PM

Hi,

I have a log with a field call "Event_Types" and then another field call "Alert Level" .
In my logs there is an event call "Ping" but this "Ping" has 2 Alert Levels 6 and 10.
I want to do a timechart on Event_Types but also want to show that there are 2 pings with different alert levels counted over time. How should I search for it?

Alert_Level > 6 | timechart count(Event_Types) as Event_Types count(Alert_Level) will show "The argument 'count(Alert_Level)' is invalid."

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-28-2017 09:41 AM

Give this a try
Updated: Fixed typo with field name

your base search | eval EventType=Event_Types.":".Alert_Level | timechart count by EventType

OR

your base search  | where Alert_Level > 6 | eval EventType=Event_Types.":".Alert_Level | timechart count by EventType

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wuming79
Path Finder
‎07-28-2017 10:23 AM

Hi somesoni2,

the search show all NULL.

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-28-2017 11:51 AM

@wuming79, there was a typo in my original answer (thanks @niketnilay for pointing that one out), which may be causing that NULL column name. Try the updated answer.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-28-2017 09:41 AM

Give this a try
Updated: Fixed typo with field name

your base search | eval EventType=Event_Types.":".Alert_Level | timechart count by EventType

OR

your base search  | where Alert_Level > 6 | eval EventType=Event_Types.":".Alert_Level | timechart count by EventType
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-28-2017 10:36 AM

@somesoni2, I think field name is Event_Types and not Event_Type.
@wuming79, can you please confirm the field names Event_Types and Alert_Level?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

wuming79
Path Finder
‎07-30-2017 06:37 AM

Hi, it's working now. Thanks! 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-28-2017 02:31 AM

Are you trying a query like the following?

| where Alert_Level > 6 | timechart count(Event_Types) as Event_Types count(Alert_Level) as Alert_Level
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

wuming79
Path Finder
‎07-28-2017 08:34 AM

Hi sorry, I made a mistake, I need it to display "|Alert_Level > 6 | timechart count(Event_Types) by Event_Types count(Alert_Level) "

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...