Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart - how to work with timechart and stats count by

juliop3p
Explorer
‎06-16-2022 03:20 PM

Hi guys, i need some help.

I'm trying to make a time chart to compare how many times my system gets restarted comparing today with 7 days ago.

I have this healthcheck log and the first log is when the user logs in for the first time and the next is the times that the user restarts my app.

with the following query works just fine the problem here is that i get the results from (initialization + restart) but i want the result just from the restart.

 

index=myIndex Title=Healthcheck earliest=-10d@d latest=@d
| timechart span=1h count
| timewrap d series=short
| fields _time s0 s7
| rename s0 as Today, s7 as "7 days ago"

 



with this other query i have exactly the restart from each user but i cant make it work with time chart.

 

index=myIndex Title=Healthcheck 
| stats count by Data.Ip
| eval count = count - 1

 



if it was confused i posted this other question explaining my scenario: https://community.splunk.com/t5/Splunk-Search/How-to-change-the-result-of-my-stats-count/td-p/600364

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 08:28 PM

Can you identify which of the events in the index are initialisation events and which are restart events?

0 Karma
Reply

juliop3p
Explorer
‎06-16-2022 09:16 PM

i can't, i just know that the first log from each hostname is the initialisation.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 10:35 PM

Would that be the first log for each host ever, no matter what the time frame for the search, e.g. only looking at yesterday? Or, the first log for each host each day, no matter what the time frame for the search, e.g. only looking at yesterday afternoon?

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-16-2022 10:31 PM

@juliop3p - Kindly post sample events, that will make it easier to understand.

0 Karma
Reply

juliop3p
Explorer
‎06-16-2022 10:50 PM

every time a user open the app generate a healthcheck log like that:

Data
  - HostName: 1234
  - AppVersion: 1.0.0
  - SO: W10

the same user (HostName) can have like 3 of this logs in one day but i want to track just reinitialisation, so in this example i have 3 logs:

1 log :  initialisation
2 logs: reinitialisation

and i want to have a timechart view so i can track the total reinitialisation by hour comparing with 7 day ago

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 11:04 PM

What happens if the user closes the app and re-opens it on the same day? Can you distinguish this as a new initialisation?

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...