Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I want to plot a single graph for two different searches .

jsamadhan
New Member
‎07-07-2017 07:05 AM

I am running two search queries-

1st to get count of requests received -
"Received Request-ID-->" | rex ">(?\S+) " | eval Application=case(areqstat LIKE "BTMS%","BTMS",areqstat LIKE "EVSN%","EVSN_Application",areqstat LIKE "DFLW%","DFLW_Application",areqstat LIKE "IDAP%", "IDAP Application",areqstat LIKE "ISF%","ISF Application",areqstat LIKE "ROLB%", "ROLB", 1=1, "Other") | stats count by Application

2nd to get count of responses sent -
Response_for_Request="Response sent for request Id" | rex "request Id - (?\S+) " | eval Application=case(areqstat LIKE "BTMS%","BTMS",areqstat LIKE "EVSN%","EVSN_Application",areqstat LIKE "DFLW%","DFLW_Application",areqstat LIKE "IDAP%", "IDAP Application",areqstat LIKE "ISF%","ISF Application",areqstat LIKE "ROLB%", "ROLB", 1=1, "Other") | stats count by Application

I want to plot a single graph where request received vs response sent count can be plotted for same application.

Any suggestion?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-07-2017 08:50 AM

Try like this

("Received Request-ID-->") OR (Response_for_Request="Response sent for request Id") 
| rex "\>(?<areqstat1>\S+) " | rex "request Id - (?<areqstat2>\S+) " | eval areqstat=coalesce(areqstat1,areqstat2) 
| eval Application=case(areqstat LIKE "BTMS%","BTMS",areqstat LIKE "EVSN%","EVSN_Application",areqstat LIKE "DFLW%","DFLW_Application",areqstat LIKE "IDAP%", "IDAP Application",areqstat LIKE "ISF%","ISF Application",areqstat LIKE "ROLB%", "ROLB", 1=1, "Other") 
| eval type=if(searchmatch("Received Request-ID-->"),"received_count","sent_count")
| chart count over Application by type

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-07-2017 08:50 AM

Try like this

("Received Request-ID-->") OR (Response_for_Request="Response sent for request Id") 
| rex "\>(?<areqstat1>\S+) " | rex "request Id - (?<areqstat2>\S+) " | eval areqstat=coalesce(areqstat1,areqstat2) 
| eval Application=case(areqstat LIKE "BTMS%","BTMS",areqstat LIKE "EVSN%","EVSN_Application",areqstat LIKE "DFLW%","DFLW_Application",areqstat LIKE "IDAP%", "IDAP Application",areqstat LIKE "ISF%","ISF Application",areqstat LIKE "ROLB%", "ROLB", 1=1, "Other") 
| eval type=if(searchmatch("Received Request-ID-->"),"received_count","sent_count")
| chart count over Application by type
0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎07-07-2017 08:39 AM

if you can have the base search have both sourcetypes/indexes, i'd suggest putting this all in one search. write an eval that says if it is received or sent using the source or field that would tell you that. ie: |eval type=if(index=isnotnull(Response_for_Request),"sent","received") and then |stats count by Application type

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...