- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Combining two searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have 2 searches and the results are as below
1st search result:
xyz 200 400 500 600 502
Add 0 1 0 0 0
Delete 0 2 1 3 4
2nd search result:
wer 200 400 500 600 502
Add_call 0 1 0 0 0
Now_call 0 2 1 3 4
Kindly help!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Deepz2612 ,
OK based on the comments try ,
"your base search to get API and Service events"
|eval _tmp=Service."#".api|chart count over _tmp by response_code
|rex field=_tmp "(?<Service>.+)#(?<api>.+)"|fields Service,api,*
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Deepz2612 ,
OK based on the comments try ,
"your base search to get API and Service events"
|eval _tmp=Service."#".api|chart count over _tmp by response_code
|rex field=_tmp "(?<Service>.+)#(?<api>.+)"|fields Service,api,*
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Deepz2612 ,
so did you check why this is not working? It works for a test data, so we should look into your events. Do you see some data for
your base search Service=* api=* |head 10 |table Service api response_code|eval tmp=Service."#".api
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try combing API and Service values together (with some delimiter) and then run chart command: like:
eval X = Api . "/ ". Service | Chart values(total) over X by response_code
After this you can split the combined value in separate fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope this is not working..
The concatenation and chart over concatenated field is fetching no results..
So both the above suggestions are not working..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Are these (api,service) part of the same event or different events?
- Are the count going to be same always for both API/SERVICE? If count over API is different from SERVICE, how do you want to represent the count in the final result?
- How do you relate API to service ? i.e. Add to add_call , delete to delete_call etc?
What goes around comes around. If it helps, hit it with Karma 🙂
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
