How to display a chart using an alert query?

lsy9891 · ‎08-29-2019

Hi, I'm trying to modify this alert query to display a chart. Currently it displays a table with columns, channel, error type and #Errors. I'm trying to convert this query to become a timechart which counts the number of errors by channel and error type. However I'm getting an error "Error in 'eval' command: The destination key is invalid. " and even if I remove it the timechart cannnot be created? The highlighted parts are the parts I've changed.

earliest=-1d@d latest=@d index=appguids host=netweba* ApplicationID=order20 ApplicationSource=order errorguid Monster.PaymentProcessor.PaymentFailedException | rex field=Message "(?m)^Message:[^:]+:\s(?.*)$" | stats count BY type,ChannelID | lookup local=1 MonsterChannels ChannelId AS ChannelID | eval Channel=if(isnull(Channel) OR match(Channel,"^0$"),"Unknown ChannelID", Channel) . " [ChannelID: " . ChannelID . "]" | stats values(type) AS "Error Type", list(count) AS "#Errors" BY Channel | appendpipe [ stats sum("#Errors") AS "#Errors" BY Channel | eval "Error Type"="Total for Channel" ] | stats values(Channel) AS X, list("Error Type") AS "Error Type", list("#Errors") AS "#Errors" BY Channel | fields - X |

eval=channelerror= Channel.":".Error Type | timechart span=1h count(#Errors) BY channelerror

gcusello · ‎08-30-2019

Hi lsy9891,
at first beware because there an = after the eval in the last row!
In addition I see count(#Errors) , it's better count("#Errors") .
Then there could be a mismatch for the space in fields (Error Type), so it's better to use fields without spaces and eventually rename them at the end of the search.

Bye.
Giuseppe

lsy9891 · ‎09-03-2019

Hi I've corrected the problems but it returns no results are found when I added the timechart command? Basically I need to create a graph from the alert where the x axis is the channel and there are two y axis- one for error type and one for error count?

lsy9891 · ‎09-03-2019

Okay so now my chart shows the total number of errors for each channel ID by adding this line:

chart count(ErrorType) AS TotalError BY Channel

How do I get it to show the total errors for each error type as well?

gcusello · ‎09-04-2019

Hi lsy9891,
let me understand: in this way tou have the count of ErrorTypes for each Channel.
Now you want (in a different panel) the total count of errors for each Error Type, is it correct?
if this is your need you have to create a new search changing the last row.

| stats count AS TotalError BY ErrorType

In this case it's useful to use the Post Process Search, a method to execute a search in a dashboard common to more panels only one time.
In other words (see Splunk Dashboard Examples App at https://splunkbase.splunk.com/app/1603/ ), you have to creare a base search with your search without the last row, and then in each panel call the base search and adding the different last row of each panel.

Bye.
Giuseppe

Sukisen1981 · ‎08-30-2019

eval=channelerror= Channel.":".Error Type | timechart span=1h count(#Errors) BY channelerror
OR
eval channelerror= Channel.":".Error Type | timechart span=1h count(#Errors) BY channelerror
there is an = between eval and channel_error

How to display a chart using an alert query?

Re: How to display a chart using an alert query?

Re: How to display a chart using an alert query?

Re: How to display a chart using an alert query?

Re: How to display a chart using an alert query?

Re: How to display a chart using an alert query?