Dashboards & Visualizations

How to do I combine my two similar searches for my post process dashboard?

Path Finder

I am post processing my dashboard.
I have two searches and I wish to club them into one:

1) index=ABC sourcetype=XYZ | timechart count by websphere_clone_id limit=0

2) index=ABC sourcetype=XYZ HTTPstatus=5* | timechart count by websphere_clone_id limit=0

What condition should I put after the timechart to filter out results with HTTPstatus=5* ? Or is there any other way all together?

0 Karma
1 Solution

Legend

Try this

index=ABC ... | eval h=if(HTTPstatus=5*, 1, 0) | timechart count as total, count(h) as h5 by websphere_clone_id limit=0

View solution in original post

0 Karma

Esteemed Legend

Like this:

index=ABC sourcetype=XYZ | timechart count AS total count(eval(like(HTTPstatus, "5%"))) AS h5 BY websphere_clone_id limit=0
0 Karma

Legend

Try this

index=ABC ... | eval h=if(HTTPstatus=5*, 1, 0) | timechart count as total, count(h) as h5 by websphere_clone_id limit=0

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!