Splunk Search

Appending a two column graph to another two column graph

Path Finder

Hey guys,

I asked a question recently about an appended column on a graph not selecting the correct events when it is clicked on. Iguinn provided me with a query(Thanks!) that allowed the columns to filter correctly and select the right events. I have to add two more columns to this graph, and I am running into the same problem I was having when I was trying to use append, which is that it does not filter the events correctly into the appended columns on the graph.

Both of these fields have been extracted and appear correctly when they are not appended.

My query is sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | stats count by ErrorType | append [ search sourcetype=testing AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = if(AccessDenied=="access denied",AccessDenied,PageNotFound) | stats count by ErrorType ]

These commands both work when they are not appended. When I select either the AccessDenied column or the PageNotFound column, I get 0 events, even though the graph says there are three.

The search query when I select these appended columns is sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | search ErrorType="access denied" when I select one of these appended columns. If I select a non-appended column, the query is the same, except it says search ErrorType="PHP Fatal Error"

Why are appended columns not functioning properly on this graph?

Thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Use the same formula provided by Iguinn, since they are all coming from same sourcetype

sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = case(PhpFatal="PHP Fatal error", PhpFatal,DrupalPHPFatal="Error: PHP FATAL Error"  ,DrupalPHPFatal, AccessDenied="access denied" , AccessDenied ,1=1, PageNotFound ) | stats count by ErrorType

Try again ( I believe the case of access denied was the issue.)

View solution in original post

Motivator

HI Spiere
Try this search code with appendcols command

sourcetype=testing AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = if(AccessDenied=="access denied",AccessDenied,PageNotFound) | stats count by ErrorType  | appendcols [ search  sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" | eval ErrorType = if(PhpFatal=="PHP Fatal error",PhpFatal,DrupalPHPFatal) | stats count by ErrorType  ]

SplunkTrust
SplunkTrust

Use the same formula provided by Iguinn, since they are all coming from same sourcetype

sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" | eval ErrorType = case(PhpFatal="PHP Fatal error", PhpFatal,DrupalPHPFatal="Error: PHP FATAL Error"  ,DrupalPHPFatal, AccessDenied="access denied" , AccessDenied ,1=1, PageNotFound ) | stats count by ErrorType

Try again ( I believe the case of access denied was the issue.)

View solution in original post

Path Finder

Access denied does not seem to show up on the graph when using this query. Page not found comes up alright though

0 Karma

Path Finder

Could you tell me what the 1=1 does inside of the eval statement? I understand the rest of it except for that part.

New query you submitted works well. Thanks.

0 Karma