Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display a chart using an alert query?

lsy9891
Engager
‎08-29-2019 09:08 PM

Hi, I'm trying to modify this alert query to display a chart. Currently it displays a table with columns, channel, error type and #Errors. I'm trying to convert this query to become a timechart which counts the number of errors by channel and error type. However I'm getting an error "Error in 'eval' command: The destination key is invalid. " and even if I remove it the timechart cannnot be created? The highlighted parts are the parts I've changed.

earliest=-1d@d latest=@d index=appguids host=netweba* ApplicationID=order20 ApplicationSource=order errorguid Monster.PaymentProcessor.PaymentFailedException | rex field=Message "(?m)^Message:[^:]+:\s(?.*)$" | stats count BY type,ChannelID | lookup local=1 MonsterChannels ChannelId AS ChannelID | eval Channel=if(isnull(Channel) OR match(Channel,"^0$"),"Unknown ChannelID", Channel) . " [ChannelID: " . ChannelID . "]" | stats values(type) AS "Error Type", list(count) AS "#Errors" BY Channel | appendpipe [ stats sum("#Errors") AS "#Errors" BY Channel | eval "Error Type"="Total for Channel" ] | stats values(Channel) AS X, list("Error Type") AS "Error Type", list("#Errors") AS "#Errors" BY Channel | fields - X |

eval=channel_error= Channel.":".Error Type | timechart span=1h count(#Errors) BY channel_error

0 Karma
Reply

Sukisen1981
Champion
‎08-30-2019 04:01 AM

eval=channel_error= Channel.":".Error Type | timechart span=1h count(#Errors) BY channel_error
OR
eval channel_error= Channel.":".Error Type | timechart span=1h count(#Errors) BY channel_error
there is an = between eval and channel_error

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-30-2019 04:00 AM

Hi lsy9891,
at first beware because there an = after the eval in the last row!
In addition I see count(#Errors) , it's better count("#Errors") .
Then there could be a mismatch for the space in fields (Error Type), so it's better to use fields without spaces and eventually rename them at the end of the search.

Bye.
Giuseppe

0 Karma
Reply

lsy9891
Engager
‎09-03-2019 09:08 PM

Hi I've corrected the problems but it returns no results are found when I added the timechart command? Basically I need to create a graph from the alert where the x axis is the channel and there are two y axis- one for error type and one for error count?

0 Karma
Reply

lsy9891
Engager
‎09-03-2019 10:27 PM

Okay so now my chart shows the total number of errors for each channel ID by adding this line:

chart count(ErrorType) AS TotalError BY Channel

How do I get it to show the total errors for each error type as well?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2019 12:03 AM

Hi lsy9891,
let me understand: in this way tou have the count of ErrorTypes for each Channel.
Now you want (in a different panel) the total count of errors for each Error Type, is it correct?
if this is your need you have to create a new search changing the last row.

| stats count AS TotalError BY ErrorType

In this case it's useful to use the Post Process Search, a method to execute a search in a dashboard common to more panels only one time.
In other words (see Splunk Dashboard Examples App at https://splunkbase.splunk.com/app/1603/ ), you have to creare a base search with your search without the last row, and then in each panel call the base search and adding the different last row of each panel.

Bye.
Giuseppe

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!