Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to display a chart using an alert query?

lsy9891
Engager
‎08-29-2019 09:08 PM

Hi, I'm trying to modify this alert query to display a chart. Currently it displays a table with columns, channel, error type and #Errors. I'm trying to convert this query to become a timechart which counts the number of errors by channel and error type. However I'm getting an error "Error in 'eval' command: The destination key is invalid. " and even if I remove it the timechart cannnot be created? The highlighted parts are the parts I've changed.

earliest=-1d@d latest=@d index=appguids host=netweba* ApplicationID=order20 ApplicationSource=order errorguid Monster.PaymentProcessor.PaymentFailedException | rex field=Message "(?m)^Message:[^:]+:\s(?.*)$" | stats count BY type,ChannelID | lookup local=1 MonsterChannels ChannelId AS ChannelID | eval Channel=if(isnull(Channel) OR match(Channel,"^0$"),"Unknown ChannelID", Channel) . " [ChannelID: " . ChannelID . "]" | stats values(type) AS "Error Type", list(count) AS "#Errors" BY Channel | appendpipe [ stats sum("#Errors") AS "#Errors" BY Channel | eval "Error Type"="Total for Channel" ] | stats values(Channel) AS X, list("Error Type") AS "Error Type", list("#Errors") AS "#Errors" BY Channel | fields - X |

eval=channel_error= Channel.":".Error Type | timechart span=1h count(#Errors) BY channel_error

0 Karma
Reply

Sukisen1981
Champion
‎08-30-2019 04:01 AM

eval=channel_error= Channel.":".Error Type | timechart span=1h count(#Errors) BY channel_error
OR
eval channel_error= Channel.":".Error Type | timechart span=1h count(#Errors) BY channel_error
there is an = between eval and channel_error

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-30-2019 04:00 AM

Hi lsy9891,
at first beware because there an = after the eval in the last row!
In addition I see count(#Errors) , it's better count("#Errors") .
Then there could be a mismatch for the space in fields (Error Type), so it's better to use fields without spaces and eventually rename them at the end of the search.

Bye.
Giuseppe

0 Karma
Reply

lsy9891
Engager
‎09-03-2019 09:08 PM

Hi I've corrected the problems but it returns no results are found when I added the timechart command? Basically I need to create a graph from the alert where the x axis is the channel and there are two y axis- one for error type and one for error count?

0 Karma
Reply

lsy9891
Engager
‎09-03-2019 10:27 PM

Okay so now my chart shows the total number of errors for each channel ID by adding this line:

chart count(ErrorType) AS TotalError BY Channel

How do I get it to show the total errors for each error type as well?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2019 12:03 AM

Hi lsy9891,
let me understand: in this way tou have the count of ErrorTypes for each Channel.
Now you want (in a different panel) the total count of errors for each Error Type, is it correct?
if this is your need you have to create a new search changing the last row.

| stats count AS TotalError BY ErrorType

In this case it's useful to use the Post Process Search, a method to execute a search in a dashboard common to more panels only one time.
In other words (see Splunk Dashboard Examples App at https://splunkbase.splunk.com/app/1603/ ), you have to creare a base search with your search without the last row, and then in each panel call the base search and adding the different last row of each panel.

Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...