https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172613#M49490 <P>you could try<BR /> index=nexus RNA-IVS | rex field=_raw ".<EM>login (?\s+).</EM>" | timechart count by logstate</P> <P>make to regexp to match your fields</P> Thu, 13 Aug 2015 08:50:22 GMT FritzWittwer_ol 2015-08-13T08:50:22Z https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172609#M49486 <P>Hey Guys, i have spent all day trying to do this:</P> <P>So this search:</P> <P>index=nexus RNA-IVS "login failed" | timechart count</P> <P>provides me with </P> <P>date count<BR /> mon 8 <BR /> tue 5<BR /> wed 3</P> <P>Its counting all results with the string "login failed". </P> <P>NOW, what i need is it to do two string counts of different words so i get this result:</P> <P>date count1 (login failed) count2 (passed)<BR /> mon 8 3<BR /> tue 5 2<BR /> wed 3 3</P> <P>please assist <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> </P> <P>Regards</P> Thu, 13 Aug 2015 05:14:05 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172609#M49486 nanomatical 2015-08-13T05:14:05Z https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172610#M49487 <P>Try this</P> <PRE><CODE>index=nexus RNA-IVS "login failed" OR passed | eval status = if(match(_raw,"(?i)login failed"),"Login failed","Passed") | timechart count by status </CODE></PRE> <P>If you want to do this for more fields, that is possible. You could have multiple <CODE>eval</CODE> statements with different criteria. As long as you assign the appropriate value to <CODE>status</CODE>, the above will work.</P> <P>However, I think you should consider creating some eventtypes for your data. This would let you categorize the information in a number of ways. Let's say that you named your eventtypes <CODE>RNA_login_failed</CODE>, <CODE>RNA_login_success</CODE>, <CODE>RNA_connection_started</CODE> etc. Now your search would be very simple (and flexible):</P> <PRE><CODE>index=nexus RNA-IVS eventtype=RNA* | timechart count by eventtype </CODE></PRE> <P>And if in the future you create more <CODE>RNA*</CODE> eventtypes, this search will automatically pick them up.</P> <P><A href="http://www.splunk.com/view/SP-CAAAGYK">Video tutorial on eventtypes</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Abouteventtypes">Docs on eventtypes</A></P> Thu, 13 Aug 2015 05:50:15 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172610#M49487 lguinn2 2015-08-13T05:50:15Z https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172611#M49488 <P>Thanks for this, it works great, however can i add more than two fields also? I need about four</P> <P>Regards</P> Thu, 13 Aug 2015 06:18:18 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172611#M49488 nanomatical 2015-08-13T06:18:18Z https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172612#M49489 <P>How i wish somebody would answer <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 13 Aug 2015 07:13:07 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172612#M49489 nanomatical 2015-08-13T07:13:07Z https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172613#M49490 <P>you could try<BR /> index=nexus RNA-IVS | rex field=_raw ".<EM>login (?\s+).</EM>" | timechart count by logstate</P> <P>make to regexp to match your fields</P> Thu, 13 Aug 2015 08:50:22 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172613#M49490 FritzWittwer_ol 2015-08-13T08:50:22Z https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172614#M49491 <P>We do this for free... and in the middle of the night in my timezone... just sayin'</P> Thu, 13 Aug 2015 16:56:30 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-timechart-counts-in-one-search/m-p/172614#M49491 lguinn2 2015-08-13T16:56:30Z