Re: Need another column in chart

tsheets13 · ‎09-12-2019

Forgive my newbiness. I've been working with Splunk for many years but not developing reports. I have a report that works well. After the search criteria and all are completed, the following shows the report...

timechart span=30m max(ms) as MS, by server
| eval Time=strftime(_time,"%H:%M:%S %m/%d/%Y")
| untable Time, server, ms
| sort +Time

I got Time and server and ms columns beautifully.

However, there is a field called APP that I would like to also display a column for. How can I get the report to included this column?

jpolvino · ‎09-12-2019

If your events have many values for APP, then what kind of statistical function would you apply in the timechart command to render a useful value in your chart? Suppose you have 2 hosts for every 30 minutes, your table would have a rows that look like:
timestamp00,host1,MS1
timestamp00,host2,MS2
timestamp30,host1,MS3
timestamp30,host2,MS4
...

Is APP static value you just want tacked on the right side?

tsheets13 · ‎09-12-2019

Early in the search we do a lookup

lookup TimeServersV2.csv server as server OUTPUT "type" as type APP as APP

type is used as part of the search succesfully, but if I add either APP or type to the untable command, it complains "The argument 'type' is invalid.

Need another column in chart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases