All Apps and Add-ons

one dash-board on multiple search

raindrop18
Communicator

I have these search strings and I would like to create one Dash-board for all of them. and not know how to consolidate the search and have a dash-board showing all the stats at once. any suggestion appreciated.

index="class" sourcetype="summer class" grade1a | timechart count

index="class" sourcetype="summer class" grade1b | timechart count

index="class" sourcetype="summer class" grade1c | timechart count

index="class" sourcetype="summer class" grade2a | timechart count

index="class" sourcetype="summer class" grade2b | timechart count

index="class" sourcetype="summer class" grade2c | timechart count

index="class" sourcetype="summer class" grade3a | timechart count

index="class" sourcetype="summer class" grade3b | timechart count

index="class" sourcetype="summer class" grade3c | timechart count

index="class" sourcetype="summer class" grade4a | timechart count

index="class" sourcetype="summer class" grade4b | timechart count

index="class" sourcetype="summer class" grade4c | timechart count

index="class" sourcetype="summer class" grade5a | timechart count

index="class" sourcetype="summer class" grade5b | timechart count

index="class" sourcetype="summer class" grade5c | timechart count

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could extract the grade into a field and do a single timechart count by grade.
If you still need to filter on the grades you can create a large single grade=grade1a OR grade=grade1b OR ... filter.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You could extract the grade into a field and do a single timechart count by grade.
If you still need to filter on the grades you can create a large single grade=grade1a OR grade=grade1b OR ... filter.

raindrop18
Communicator

you are awesome. working perfectly. and this will be my template for future. thanks much!!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

So the grade is the first word after the timestamp? Try this:

index="class" sourcetype="summer class" grade=grade1a OR grade=grade1b OR grade=grade1c | rex "^\S+\s+\S+\s+(?<grade>\S+)" | timechart count by grade

If that works, move the regular expression without the double quotes into a field extraction so you don't have to include it in every search.

0 Karma

raindrop18
Communicator

this is the exact output(log)

"2014-06-19 21:18:30" grade1a id=abbyes,ou=user,o=school,ou=services,dc=middle,dc=forgerock,dc=org 9948958e0fbc506008 "Not Available" INFO o=school,ou=services,dc=middle,dc=forgerock,dc=org "cn=dsameuser,ou=DSAME Users,dc=middle,dc=forgerock,dc=org" Permit school.access "Not Available" 10.1.1.1

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

No, specifying grade=grade1a only filters, it doesn't extract the grade field.

What do the events look like?

0 Karma

raindrop18
Communicator

thanks Martin, so grade=grade1a extract the value as filed? I have tried

index="class" sourcetype="summer class" grade=grade1a OR grade=grade1b OR grade=grade1c| timechart count by grade

but not result. did I miss anything, I am new to splunk so be patient with me 🙂

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...