Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can this query be written more efficiently?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-19-2016
01:56 AM
It's a query for a staked column chart.
index=myCompIn source="/locatedin/mySrc.log" "Reply Back" "CAT-IN " "SOME STUFF" | append
[search index=myCompIn source="/locatedin/mySrc.log" "CAT-IN | 91.8.1952.7.4 | (false true false)"] | append
[search index=myCompIn source="/locatedin/mySrc.log" "CAT-IN | 91.8.1952.7.4 | (false false true)"]|timechart span=1d count AS aTXN | join _time
[search index=myCompIn source="/locatedin/mySrc.log" RT_DCC_TYPE=converted | append
[search index=myCompIn source="/locatedin/mySrc.log" "CAT-IN | 91.8.1952.7.4 | (false true false)"] | append
[search index=myCompIn source="/locatedin/mySrc.log" "CAT-IN | 91.8.1952.7.4 | (false false true)"] | timechart span=1d count AS bTXN]
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-20-2016
08:15 AM
Try this
index=myCompIn source="/locatedin/mySrc.log" ("Reply Back" "CAT-IN " "SOME STUFF") OR ("CAT-IN | 91.8.1952.7.4 | (false true false)" ) OR ("CAT-IN | 91.8.1952.7.4 | (false false true)") OR ( RT_DCC_TYPE=converted ) OR ( "CAT-IN | 91.8.1952.7.4 | (false true false)") OR ( "CAT-IN | 91.8.1952.7.4 | (false false true)" )
| eval catin=case(searchmatch("CAT-IN | 91.8.1952.7.4 | (false true false)",1,searchmatch("CAT-IN | 91.8.1952.7.4 | (false false true)",1,true(),0)
| eval aTXN=if(searchmatch("\"Reply Back\" \"CAT-IN \" \"SOME STUFF\""),1,0) + catin
| eval bTXN=if(searchmatch("RT_DCC_TYPE=converted"),1,0) + catin
| timechart span=1d sum(aTXN) as aTXN sum(bTXN) as bTXN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-20-2016
08:15 AM
Try this
index=myCompIn source="/locatedin/mySrc.log" ("Reply Back" "CAT-IN " "SOME STUFF") OR ("CAT-IN | 91.8.1952.7.4 | (false true false)" ) OR ("CAT-IN | 91.8.1952.7.4 | (false false true)") OR ( RT_DCC_TYPE=converted ) OR ( "CAT-IN | 91.8.1952.7.4 | (false true false)") OR ( "CAT-IN | 91.8.1952.7.4 | (false false true)" )
| eval catin=case(searchmatch("CAT-IN | 91.8.1952.7.4 | (false true false)",1,searchmatch("CAT-IN | 91.8.1952.7.4 | (false false true)",1,true(),0)
| eval aTXN=if(searchmatch("\"Reply Back\" \"CAT-IN \" \"SOME STUFF\""),1,0) + catin
| eval bTXN=if(searchmatch("RT_DCC_TYPE=converted"),1,0) + catin
| timechart span=1d sum(aTXN) as aTXN sum(bTXN) as bTXN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-20-2016
09:23 AM
This worked exactly. Tanx very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-19-2016
08:55 AM
Try this
*UPDATED*
index=myCompIn source="/locatedin/mySrc.log" "Reply Back" "CAT-IN | 91.8.1952.7.4" | timechart span=1d count(eval(match(_raw, "SOME STUFF")) as A count(eval(RT_DCC_TYPE="converted")) as B
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-20-2016
01:26 AM
Thanks for this sundareshr but no luck with it, I get the following error "Error in 'timechart' command: Repeated group-by field '_time'."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-20-2016
04:44 AM
Try the updated answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-20-2016
06:57 AM
Tanx. Still the same error code produced.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-20-2016
07:14 AM
🙂 try this time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-20-2016
07:20 AM
Tanx. This runs without error but does not find any results!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-20-2016
07:31 AM
Do you get any data back when you remove the last segment (timechart)?
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
