topic Re: How to combine access log data from multiple sources over time in the same line graph? in Splunk Search

How to combine access log data from multiple sources over time in the same line graph?

alafferty — Thu, 19 Nov 2015 19:35:48 GMT

Greetings!

I have access logs from multiple sources that I'd like to combine into the same graph, basically to count the number of hits per minute on each source.

index=ihs source="*_access_log.*" |  timechart span=1m count(eval(source="/logdir/http-logs/source1_access_log.%Y%m%d")) AS source1, count(eval(source="/logdir/http-logs/source2_access_log.%Y%m%d")) AS source2, count(eval(source="/logdir/http-logs/source3_access_log.%Y%m%d")) AS source3, count(eval(source="/logdir/http-logs/source4_access_log.%Y%m%d")) AS source4

Basically each source has its own name and today's date. I'm not really sure how to approach it, but the above and everything else I've been trying doesn't work.

Thanks,
Aaron

Re: How to combine access log data from multiple sources over time in the same line graph?

alafferty — Thu, 19 Nov 2015 20:19:34 GMT

 index=ihs source="*_access_log.*" |  timechart span=1m count(eval("source=/logdir/http-logs/source1_access_log.'%Y%m%d'")) AS source1, count(eval("source=/logdir/http-logs/source2_access_log.'%Y%m%d'")) AS source2, count(eval("source=/logdir/http-logs/source3_access_log.'%Y%m%d'")) AS source3, count(eval("source=/logdir/http-logs/source4_access_log.'%Y%m%d'")) AS source4

I tried that. It actually gets counts ind the source# table, but all of the counts are the same! Ugh. The search works fine when I manually specify the date of 20151119 at the end of the access log

Re: How to combine access log data from multiple sources over time in the same line graph?

sundareshr — Wed, 02 Dec 2015 01:16:27 GMT

Have you tried (for the given sample data)

index=ihs source="*_access_log.*" | rex field=source "(?<src>\w+\d)" |  timechart span=1m count by source