Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare a search and overlay in two graphs using 2 hosts (host1 and 2); two sourcetypes (sourcetype1 and 2); and three strings "string1", "string2", and "string3" in a given date, say July 27, 2017 from 12:00:01am to 11:58:00 pm?

qtorque95
Explorer
‎07-28-2017 06:52 PM

I tried the following generic example. Note host1 and host2 correspond to sourcetype1 and sourcetype2, accordingly. Thank you for your support.

index=_internal sourcetype="sourcetype1" OR sourcetype="sourcetype2" host="host1" OR host="host2"
earliest=07/28/2017:0:0:0 latest=07/27/2017:23:0:0 | timechart span=1d |
append [search index=_internal sourcetype="sourcetype1" OR sourcetype="sourcetype2" host="host1" OR host="host2"
"string1" OR "string2" OR "string3" ]

Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-29-2017 01:17 PM

I'm not sure I understand all of the question, but I think that for what you want you shouldn't need append. Splunk can do arbitrarily complex splitting in a variety of ways. Here's one method.

First, a run-anywhere example that you can use to see this way of doing it in action.

index=_internal earliest="07/01/2017:00:00:00" latest="07/31/2017:23:00:00" (component="SavedSplunker" OR component="ArchiveProcessor" OR component="WatchedFile")
| eval Splitter=case((component="SavedSplunker"), "ItemA", (component="ArchiveProcessor" OR component="WatchedFile"), "ItemB")
| timechart count by Splitter

In this example, I search a longer time period (which isn't important - just so I have events on my tiny little home system) for things in the internal index. I'm specifically searching ONLY for those three component types, but I honestly only do that for efficiency. I don't want the whole thing drowned out by my 700,000 "component=metrics", so I pick three that I will use as an example later that are all three about the same size (a hundred or two on my system over the past month)

The second line, the eval, uses case to build a field called Splitter. Splitter will be "ItemA" if component is "SavedSplunker", and Splitter will be "ItemB" if the component is either ArchiverProcessor or WatchedFile. It doesn't really matter that I used those, you can put pretty arbitrary stuff in there.

The last line then does a timechart by my newly created field.

So if you want to try something more akin to your example... Well, maybe this will be more interesting?

index=_internal sourcetype="sourcetype1" OR sourcetype="sourcetype2" host="host1" OR host="host2"
earliest=07/27/2017:0:0:0 latest=07/28/2017:23:0:0 
| eval IsSpecial=if(match( _raw, "string1") OR match(_raw, "string2"),"Yes","No")
| timechart IsSpecial

That, like before, is filtering to the "common" filtered criteria - namely host1, host2 of the various sourcetypes you want.

The second line is creating a new field IsSpecial, which is "Yes" if either the word "string1" or the word "string2" is found in _raw (which is the whole event). It is set to No, otherwise.

Then we timechart on that.

Give that a try, see if it makes sense.

If those aren't even close to what you want, shoot back a reply and we can try one of the other ways to do these things.

Happy Splunking,
Rich

0 Karma
Reply

qtorque95
Explorer
‎07-30-2017 04:03 PM

Thank you, @rich7177. Ran last suggestion; however, got this:
"Error in 'timechart' command: The specifier 'IsSpecial' is invalid. It must be in form (). For example: max(size )."

What I'm trying to achieve is to compare log files and search for two (or 3) strings "timeline" and "current position" from July 27 from 12:01 AM to July 28 11:59 PM. The, overlay the results in two graphs as follows:

index=_internal sourcetype="a1_bridge_log" OR sourcetype="b1_bridge_log" host="a1" OR host="b1"
 earliest=07/27/2017:0:01:0 latest=07/28/2017:23:59:0 
 | eval IsSpecial=if(match( _raw, "timeline") OR match(_raw, "currrentposition"),"Yes","No")
 | timechart IsSpecial

where,
index =_internal is the default Splunk light index I use for both hosts, a1, b1.
in my environment, a1_bridge_log is the sourcetype for corresponding logs in host = a1
On the other hand, b1_bridge_log is the sourcetype for corresponding logs in host b1
"timeline" and "currentposition" are character strings found in lines of such log files. Thank you for your support.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-31-2017 04:49 AM

My bad -

As per my original example, try 

...
| timechart count by IsSpecial

Silly me, but now you know why I include "how I got to where I got" as a precursor for "how you can get to where you need to be". It's so I can fix my own typos easier. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...