I have these search strings and I would like to create one Dash-board for all of them. and not know how to consolidate the search and have a dash-board showing all the stats at once. any suggestion appreciated.
index="class" sourcetype="summer class" grade1a | timechart count
index="class" sourcetype="summer class" grade1b | timechart count
index="class" sourcetype="summer class" grade1c | timechart count
index="class" sourcetype="summer class" grade2a | timechart count
index="class" sourcetype="summer class" grade2b | timechart count
index="class" sourcetype="summer class" grade2c | timechart count
index="class" sourcetype="summer class" grade3a | timechart count
index="class" sourcetype="summer class" grade3b | timechart count
index="class" sourcetype="summer class" grade3c | timechart count
index="class" sourcetype="summer class" grade4a | timechart count
index="class" sourcetype="summer class" grade4b | timechart count
index="class" sourcetype="summer class" grade4c | timechart count
index="class" sourcetype="summer class" grade5a | timechart count
index="class" sourcetype="summer class" grade5b | timechart count
index="class" sourcetype="summer class" grade5c | timechart count
You could extract the grade into a field and do a single timechart count by grade
.
If you still need to filter on the grades you can create a large single grade=grade1a OR grade=grade1b OR ...
filter.
You could extract the grade into a field and do a single timechart count by grade
.
If you still need to filter on the grades you can create a large single grade=grade1a OR grade=grade1b OR ...
filter.
you are awesome. working perfectly. and this will be my template for future. thanks much!!
So the grade is the first word after the timestamp? Try this:
index="class" sourcetype="summer class" grade=grade1a OR grade=grade1b OR grade=grade1c | rex "^\S+\s+\S+\s+(?<grade>\S+)" | timechart count by grade
If that works, move the regular expression without the double quotes into a field extraction so you don't have to include it in every search.
this is the exact output(log)
"2014-06-19 21:18:30" grade1a id=abbyes,ou=user,o=school,ou=services,dc=middle,dc=forgerock,dc=org 9948958e0fbc506008 "Not Available" INFO o=school,ou=services,dc=middle,dc=forgerock,dc=org "cn=dsameuser,ou=DSAME Users,dc=middle,dc=forgerock,dc=org" Permit school.access "Not Available" 10.1.1.1
No, specifying grade=grade1a
only filters, it doesn't extract the grade
field.
What do the events look like?
thanks Martin, so grade=grade1a extract the value as filed? I have tried
index="class" sourcetype="summer class" grade=grade1a OR grade=grade1b OR grade=grade1c| timechart count by grade
but not result. did I miss anything, I am new to splunk so be patient with me 🙂