topic Re: 2 Searches on the same bar chart - (further detail described) in Splunk Search

2 Searches on the same bar chart - (further detail described)

lanode — Mon, 05 Nov 2012 11:49:35 GMT

OK - I've got 2 searches:-

sourcetype="Telephone Log" 213 NOT "<I>" 
sourcetype="Telephone Log" 213 NOT "<I>" | regex _raw!=(\b\d\d:00'\d\d)

The first search captures all outbound calls from extension 213

The second search captures all outbound calls from extension 213 that are in excess of 1 miunte

I would like to plot these 2 searches on the same bar chart. With the bars overlayed.

So, for any selected timeframe I can see how many outbound calls have been made on any particluar day and overlayed on that bar another showing me the number of calls that were in excess of 1 minute.

Any help is very much appreciated.

Re: 2 Searches on the same bar chart - (further detail described)

yannK — Mon, 05 Nov 2012 15:03:17 GMT

First, you are missing stats commands to return data in a chart format,
by example | stats count
One method is to merge results from 2 searches, and distinguish them by one field, in this case I use the field "type"
Then use an append between the 2 searches.

Another method is to use a single search, and use the result of the regex field extraction to distinguish them

sourcetype="Telephone Log" 213 NOT "" | regex "(?<myregex>bdd:00'dd)" | fillnull myregex value="not found" | stats count by myregex

Re: 2 Searches on the same bar chart - (further detail described)

lanode — Mon, 05 Nov 2012 16:08:07 GMT

I like it, but doesn't quite do what I require. Probably because I didn't give you enough detail in my original question. Anyway, I have edited the orignal to provide further information. Thank you for your help.

Re: 2 Searches on the same bar chart - (further detail described)

sowings — Tue, 06 Nov 2012 01:56:59 GMT

@YannK gives two good strategies, but if they're not doing what you want, consider this approach. Instead of using regex to filter, use rex with a capture group to do like Yann suggested. Use this captured variable to set a sort of binary flag, like:

eval longer_than_minute=if(isnotnull(<captured_var>, "Y", "N")

Then you can stats count by longer_than_minute.

Furthermore, I'll point out that if there's an <O> flag to signal an outbound call (to contrast the <I> flag for inbound calls), you're better off searching for that as a positive match, rather than NOT; bloom filters will often make a positive match faster than a negative match.

Re: 2 Searches on the same bar chart - (further detail described)

lanode — Tue, 06 Nov 2012 10:27:33 GMT

Thank you guys for your responses to my problem.

I think I've found the solution. It is an adaptation of "yannK's" first suggestion.

Solution :-

sourcetype="Telephone Log" 213 NOT "<I>" 
| timechart count as CALLS
| appendcols [ search 213 NOT "<I>" | regex _raw!=(\b\d\d:00'\d\d) | timechart count as Excess1min ]

I've tested it and compared results with raw data and all looks good so far.

Thanks again for your swift help with this matter. - Much appreciated