- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have these search strings and I would like to create one Dash-board for all of them. and not know how to consolidate the search and have a dash-board showing all the stats at once. any suggestion appreciated.
index="class" sourcetype="summer class" grade1a | timechart count
index="class" sourcetype="summer class" grade1b | timechart count
index="class" sourcetype="summer class" grade1c | timechart count
index="class" sourcetype="summer class" grade2a | timechart count
index="class" sourcetype="summer class" grade2b | timechart count
index="class" sourcetype="summer class" grade2c | timechart count
index="class" sourcetype="summer class" grade3a | timechart count
index="class" sourcetype="summer class" grade3b | timechart count
index="class" sourcetype="summer class" grade3c | timechart count
index="class" sourcetype="summer class" grade4a | timechart count
index="class" sourcetype="summer class" grade4b | timechart count
index="class" sourcetype="summer class" grade4c | timechart count
index="class" sourcetype="summer class" grade5a | timechart count
index="class" sourcetype="summer class" grade5b | timechart count
index="class" sourcetype="summer class" grade5c | timechart count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could extract the grade into a field and do a single timechart count by grade.
If you still need to filter on the grades you can create a large single grade=grade1a OR grade=grade1b OR ... filter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could extract the grade into a field and do a single timechart count by grade.
If you still need to filter on the grades you can create a large single grade=grade1a OR grade=grade1b OR ... filter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you are awesome. working perfectly. and this will be my template for future. thanks much!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the grade is the first word after the timestamp? Try this:
index="class" sourcetype="summer class" grade=grade1a OR grade=grade1b OR grade=grade1c | rex "^\S+\s+\S+\s+(?<grade>\S+)" | timechart count by grade
If that works, move the regular expression without the double quotes into a field extraction so you don't have to include it in every search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is the exact output(log)
"2014-06-19 21:18:30" grade1a id=abbyes,ou=user,o=school,ou=services,dc=middle,dc=forgerock,dc=org 9948958e0fbc506008 "Not Available" INFO o=school,ou=services,dc=middle,dc=forgerock,dc=org "cn=dsameuser,ou=DSAME Users,dc=middle,dc=forgerock,dc=org" Permit school.access "Not Available" 10.1.1.1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, specifying grade=grade1a only filters, it doesn't extract the grade field.
What do the events look like?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks Martin, so grade=grade1a extract the value as filed? I have tried
index="class" sourcetype="summer class" grade=grade1a OR grade=grade1b OR grade=grade1c| timechart count by grade
but not result. did I miss anything, I am new to splunk so be patient with me 🙂
