topic Re: Count and chart two different queries in Splunk Search

Count and chart two different queries

zebulajams — Thu, 20 Jan 2022 17:26:38 GMT

Hey all,

Newbie here learning Splunk. I'm starting to get into dashboards and want to create either a pie chart or just a simple count of how many times a certain string occurs in a log file.

| stats count("no phase found for entry") count("no work order found")

This returns two columns but they both have 0 in them. But if I just search for each string individually or with an OR statement, it returns all entries (which is around 118 combined).

I've been reading through the Splunk Documentation on stats but can't seem to find an answer on how to combine two counts of anything.

Any help is appreciated!

Re: Count and chart two different queries

ITWhisperer — Thu, 20 Jan 2022 17:39:20 GMT

The stats count function is counting events in the pipeline. You can affect which ones are counted a number of way. One way might be to count whether a condition is true. For example:

| eval no_phase=if(match(_raw,"no phase found for entry"),1,0) | eval no_work_order=if(match(_raw,"no phase found for entry"),1,0) | stats sum(no_phase) as no_phase sum(no_work_order) as no_work_order

Re: Count and chart two different queries

zebulajams — Thu, 20 Jan 2022 17:52:40 GMT

Hmm. That didn't seem to work. All it returns is:

No results found. Try expanding the time range.

I expanded to the last 7 days to make sure and it still didn't find anything. I also just tried doing

| eval no_phase=if(match(_raw,"no phase found for entry"),1,0) | stats sum(no_phase) AS phase

This also did not return any results.

Any other ideas?

Re: Count and chart two different queries

somesoni2 — Thu, 20 Jan 2022 19:20:02 GMT

Give this a try

Your base search | stats count(eval(searchmatch("no phase found for entry"))) as count_no_phase count(eval(searchmatch("no work order found"))) as count_no_order

Re: Count and chart two different queries

ITWhisperer — Thu, 20 Jan 2022 19:49:11 GMT

Can you share some of the events you are working with?

Re: Count and chart two different queries

zebulajams — Thu, 20 Jan 2022 20:27:22 GMT

That worked, but I think I discovered a fundamental problem with my search.

As I said, I'm really new to Splunk and didn't know I needed a search at the beginning before I did the stats command. What I did was:

"no phase found for entry" OR "no work order found" | stats count(eval(searchmatch("no phase found for entry"))) AS count_no_phase count(eval(searchmatch("no work order found"))) AS count_no_order

Before the pipe command, can I just search for anything? Or does it have to match exactly what I'm looking for in the searchmatch?

EDIT: Also, it doesn't look like I can plot these results (50 for count_no_phase & 2 for count_no_order) on something like a pie chart after running that search. It splits them into a table format, but I'm not so sure how to get it onto a pie or line chart.