how to use timechart for datamodel with tsats and prestats set to true in splunk

huangapple
go评论56阅读模式
英文:

how to use timechart for datamodel with tsats and prestats set to true in splunk

问题

我有一个包含数据集的数据模型,我想从中提取并绘制两个特定时间范围的数据。为此,我使用tsats从Blocked_Traffic数据模型中获取数据(因为有大量数据)在第一个查询中,然后将其导入到第二个时间范围的另一个查询中。为了使其工作,我必须将prestats设置为true。文档指示它应该与timechart函数一起使用,但无论我最终的查询如何,我都无法显示图表线图表(或任何类型的图表)。这是我的伪查询:

| tstats prestats=true count FROM datamodel=Network_Traffic.All_Traffic, WHERE nodename=All_Traffic.Traffic_By_Action Blocked_Traffic,  NOT All_Traffic.src_ip IN (0.0.0.0), All_Traffic.dest_ip!="10.*",All_Traffic.bytes_out > 1000  earliest=-3h@h latest=-10min@min by All_Traffic.bytes_out
| tstats prestats=true append=true count FROM datamodel=Network_Traffic.All_Traffic, WHERE nodename=All_Traffic.Traffic_By_Action Blocked_Traffic,  NOT All_Traffic.src_ip IN (0.0.0.0), All_Traffic.dest_ip!="10.*",All_Traffic.bytes_out > 1000  earliest=-27h@h latest=-24h@h by All_Traffic.bytes_out
| timechart sum(All_Traffic.bytes_out)

我觉得prestats参数让我丢失了时间戳,这阻止了timechart函数的工作,但我不太确定。任何帮助将不胜感激。

英文:

I have a data model containing a dataset from which I would like to extract and plot data over two specific time ranges. For that, I'm using tsats to fetch data from the Blocked_Traffic datamodel (because there's a huge amount of data) in the first query, which I'm then piping into another query for the second timerange. In order for that to work, I have to set prestats to true. The documentation indicates that it's supposed to work with the timechart function, but no matter my final query, I can't get a graph line chart (or any type of chart) to display. Here's my pseudo-query:

| tstats prestats=true count FROM datamodel=Network_Traffic.All_Traffic, WHERE nodename=All_Traffic.Traffic_By_Action Blocked_Traffic,  NOT All_Traffic.src_ip IN (0.0.0.0), All_Traffic.dest_ip!="10.*",All_Traffic.bytes_out > 1000  earliest=-3h@h latest=-10min@min by All_Traffic.bytes_out
| tstats prestats=true append=true count FROM datamodel=Network_Traffic.All_Traffic, WHERE nodename=All_Traffic.Traffic_By_Action Blocked_Traffic,  NOT All_Traffic.src_ip IN (0.0.0.0), All_Traffic.dest_ip!="10.*",All_Traffic.bytes_out > 1000  earliest=-27h@h latest=-24h@h by All_Traffic.bytes_out
| timechart sum(All_Traffic.bytes_out)

I feel like the prestats parameter is making me lose the timestamps, which prevents the timechart function from working, but I'm not really sure. Any help would be appreciated.

答案1

得分: 3

你实际上正在失去与tstats命令相关的时间...

您需要在tstats命令的by子句中包含_time,然后您就可以在timechart中使用它。

英文:

You're actually losing _time with your tstats commands...

You need to include _time in the by clause of your tstats commands, then you'll have it for use with timechart.

huangapple
  • 本文由 发表于 2023年6月8日 16:29:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/76429971.html
  • splunk
  • splunk-query
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定