Solved: Timechart Count by Field Name... By Field Name (Co...

PaintItParker · ‎04-26-2021

I have two timecharts:

index=my_index sourcetype=my_sourcetype
| where area="area1"
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message

and

index=my_index sourcetype=my_sourcetype
| where area="area2"
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message

The only thing that makes them different is that one is looking at logs where the value of area is area1, and the other is looking at area2.

Rather than have two separate timecharts, I would like to have one timechart with a line for area1 and a line for area2, looking at the count of Issues for each over the given period of time. I do not need a span because the dashboard implements that for me with the time range selection feature.

How could I go about this? I tried something like "timechart count by message by area" but that does not work. Thank you.

ITWhisperer · ‎04-26-2021

Have you tried something like this:

index=my_index sourcetype=my_sourcetype (area="area1" OR area="area2")
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message area

View solution in original post

ITWhisperer · ‎04-26-2021

Have you tried something like this:

index=my_index sourcetype=my_sourcetype (area="area1" OR area="area2")
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message area

Timechart Count by Field Name... By Field Name (Combining Timecharts)

timechart

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk