How to display a chart using an alert query?

lsy9891 · ‎08-29-2019

Hi, I'm trying to modify this alert query to display a chart. Currently it displays a table with columns, channel, error type and #Errors. I'm trying to convert this query to become a timechart which counts the number of errors by channel and error type. However I'm getting an error "Error in 'eval' command: The destination key is invalid. " and even if I remove it the timechart cannnot be created? The highlighted parts are the parts I've changed.

earliest=-1d@d latest=@d index=appguids host=netweba* ApplicationID=order20 ApplicationSource=order errorguid Monster.PaymentProcessor.PaymentFailedException | rex field=Message "(?m)^Message:[^:]+:\s(?.*)$" | stats count BY type,ChannelID | lookup local=1 MonsterChannels ChannelId AS ChannelID | eval Channel=if(isnull(Channel) OR match(Channel,"^0$"),"Unknown ChannelID", Channel) . " [ChannelID: " . ChannelID . "]" | stats values(type) AS "Error Type", list(count) AS "#Errors" BY Channel | appendpipe [ stats sum("#Errors") AS "#Errors" BY Channel | eval "Error Type"="Total for Channel" ] | stats values(Channel) AS X, list("Error Type") AS "Error Type", list("#Errors") AS "#Errors" BY Channel | fields - X |

eval=channel_error= Channel.":".Error Type | timechart span=1h count(#Errors) BY channel_error

Sukisen1981 · ‎08-30-2019

eval=channel_error= Channel.":".Error Type | timechart span=1h count(#Errors) BY channel_error
OR
eval channel_error= Channel.":".Error Type | timechart span=1h count(#Errors) BY channel_error
there is an = between eval and channel_error

gcusello · ‎08-30-2019

Hi lsy9891,
at first beware because there an = after the eval in the last row!
In addition I see count(#Errors) , it's better count("#Errors") .
Then there could be a mismatch for the space in fields (Error Type), so it's better to use fields without spaces and eventually rename them at the end of the search.

Bye.
Giuseppe

lsy9891 · ‎09-03-2019

Hi I've corrected the problems but it returns no results are found when I added the timechart command? Basically I need to create a graph from the alert where the x axis is the channel and there are two y axis- one for error type and one for error count?

lsy9891 · ‎09-03-2019

Okay so now my chart shows the total number of errors for each channel ID by adding this line:

chart count(ErrorType) AS TotalError BY Channel

How do I get it to show the total errors for each error type as well?

gcusello · ‎09-04-2019

Hi lsy9891,
let me understand: in this way tou have the count of ErrorTypes for each Channel.
Now you want (in a different panel) the total count of errors for each Error Type, is it correct?
if this is your need you have to create a new search changing the last row.

| stats count AS TotalError BY ErrorType

In this case it's useful to use the Post Process Search, a method to execute a search in a dashboard common to more panels only one time.
In other words (see Splunk Dashboard Examples App at https://splunkbase.splunk.com/app/1603/ ), you have to creare a base search with your search without the last row, and then in each panel call the base search and adding the different last row of each panel.

Bye.
Giuseppe

How to display a chart using an alert query?

Enhance Your Splunk App Development: New Tools & Support

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Are you a member of the Splunk Community?

How to display a chart using an alert query?

Enhance Your Splunk App Development: New Tools & Support

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code