Solved: Getting the count based on the keywords on the eve...

macadminrohit · ‎02-22-2018

Hi,

I am trying to get the timechart span = 1h , for the APIs appearing in the events. search query is like this ?

index=home sourcetype=logs "Keyword" | timechart count span=1h as count | sort _time | reverse

there will be different keyword but the underline search will be different like keyword1, keyword2, keyword3 etc, I want to get the timechart by each keyword. how that can be done.

somesoni2 · ‎02-22-2018

Are the kewords fixed values? If yes, try this

index=home sourcetype=logs "keyword1" OR "keyword2" OR "keyword3"....
| eval keyword=case(searchmatch("keyword1"),"Keyword1", searchmatch("keyword2"),"Keyword2",.....rest of the keywords)
| timechart count span=1h as count by keyword | reverse

View solution in original post

somesoni2 · ‎02-22-2018

Are the kewords fixed values? If yes, try this

index=home sourcetype=logs "keyword1" OR "keyword2" OR "keyword3"....
| eval keyword=case(searchmatch("keyword1"),"Keyword1", searchmatch("keyword2"),"Keyword2",.....rest of the keywords)
| timechart count span=1h as count by keyword | reverse

macadminrohit · ‎02-28-2018

Thanks Somesh, it works. I want to accept this as answer but not getting that option.

somesoni2 · ‎02-28-2018

Here you go.

Getting the count based on the keywords on the events

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms