All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issue with appendcols

edschembor
Path Finder
‎06-09-2014 01:45 PM

So, I have the following code which searches for two types of errors and creates a bar graph showing how many times each one occurs. Very simple.

index=hpov eph " error " AND (tag="EPH_SVR") | eval ReasonForFailure="" | chart count as error by ReasonForFailure |  appendcols [search index=hpov eph " exception " AND (tag="EPH_SVR")| stats count as exception] |  appendcols [search index=hpov eph " EXCEPTION " AND (tag="EPH_SVR") | stats count as exception]

However, when I click on the second bar so I can see which events it consists of, the search instead brings up that of the first bar. I'm not sure why this is occurring. Is the "eval" somehow linking them??

Thanks!!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-09-2014 01:55 PM

Can you try with construct?

|multisearch [search index=hpov eph " error " AND (tag="EPH_SVR") | eval Type="Error" ] [search index=hpov eph " exception " AND (tag="EPH_SVR")| eval Type="exception"] [search index=hpov eph " EXCEPTION " AND (tag="EPH_SVR") |eval Type="EXCEPTION"] | chart count by Type

2nd Update:

index=hpov eph " error " AND (tag="EPH_SVR") | eval Type="Error" | eval counter=1 | appendpipe [|stats count | eval counter=0 | eval Type="Error"| where count=0] | append [search index=hpov eph " exception " AND (tag="EPH_SVR")| eval Type="exception"|eval counter=1| appendpipe[|stats count | eval counter=0 | eval Type="exception"| where count=0]] | append [search index=hpov eph " EXCEPTION " AND (tag="EPH_SVR") |eval Type="EXCEPTION"|eval counter=1| appendpipe[|stats count | eval counter=0|eval Type="EXCEPTION"| where count=0]] | chart sum(counter) as count by Type

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-09-2014 01:55 PM

Can you try with construct?

|multisearch [search index=hpov eph " error " AND (tag="EPH_SVR") | eval Type="Error" ] [search index=hpov eph " exception " AND (tag="EPH_SVR")| eval Type="exception"] [search index=hpov eph " EXCEPTION " AND (tag="EPH_SVR") |eval Type="EXCEPTION"] | chart count by Type

2nd Update:

index=hpov eph " error " AND (tag="EPH_SVR") | eval Type="Error" | eval counter=1 | appendpipe [|stats count | eval counter=0 | eval Type="Error"| where count=0] | append [search index=hpov eph " exception " AND (tag="EPH_SVR")| eval Type="exception"|eval counter=1| appendpipe[|stats count | eval counter=0 | eval Type="exception"| where count=0]] | append [search index=hpov eph " EXCEPTION " AND (tag="EPH_SVR") |eval Type="EXCEPTION"|eval counter=1| appendpipe[|stats count | eval counter=0|eval Type="EXCEPTION"| where count=0]] | chart sum(counter) as count by Type
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-11-2014 08:31 AM

Anything I add for showing zero-count results is causing drilldown to fail (default drilldown). This one shows zero-count results and drilldown works too, but in the output bar chart, you need to 'stack' the bars.

index=hpov eph  AND (tag="EPH_SVR") (" error " OR  " exception " OR " EXCEPTION "  | eval test=1| eval Type=case(like(_raw,"% error %"),"Error",like(_raw,"% exception %"),"exception",like(_raw,"% EXCEPTION %"),"EXCEPTION") | stats count(eval(Type="Error")) as CountError count(eval(Type="exception")) as CountWarning count(eval(Type="EXCEPTION")) as CountInfo by Type
0 Karma
Reply
Solved! Jump to solution

edschembor
Path Finder
‎06-11-2014 06:34 AM

Still the same. If I click on the exception bar, it brings up events with errors, not exceptions

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-10-2014 06:17 AM

Try the 2nd Update.

0 Karma
Reply
Solved! Jump to solution

edschembor
Path Finder
‎06-10-2014 05:49 AM

The update didn't actually fix anything. If I click on the exception bar on the graph, it does a search and shows events with errors, not with exceptions. It still only searches for the first search. Without the update was better

0 Karma
Reply
Solved! Jump to solution

edschembor
Path Finder
‎06-09-2014 02:12 PM

Yes thank you!! However, is there a way to still show non-zero results and the item categories on the side like it would with appendcol?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...