- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combining charts from different searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combining charts from different searches
im using something like this:
sourcetype="A" category="CatA" "msg string in my log not stored as a field" | timechart span=1h count(_raw)
this gives me a single charted line which tracks occurrences of that particular log with string specified. I hav several of such lines. However is there a way to save each of this 'search' under a single name so that i can combine them into a single chart?
im not sure if this is possible (i suspect it has to do with eval)? any tips?
EDIT:
Event looks like this:
6/27/2011 3:47:02 AM 6/27/2011 3:47:02 AM pss2wlsfe2b [ps2wseb] PS.RR.SV.APP Full GC detected in log file [directory/gc.log] line [254988] (5 occurrences since 11:42:01) CLOSED WARNING App
so basically, from "Full GC detected in log file [directory/gc.log] line 254988"
they are replacable by the following messages as well.
Warn:Full GC detected in log file line 3
Memory high after full GC (90.19%/90%, next threshold 95%)
Err:Memory high after full GC (80%/75%, next threshold 80%)
basically im looking out for almost the entire main phrase:
"full gc detected in log file"
"memory high after full gc"
"err:memory high after full gc"
to see if they occur at the same time or over diff periods of time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would say that this is possible with rex, i.e. extracting fields on the fly, but it's pretty dependant on how the events are formatted. My idea for doing this is;
sourcetype=A category=CatA "string no 1" OR "string no 2" OR "string no 3"
| rex "blaha (?<my_string>(string no 1 | string no 2 | string no 3)) blaha"
| timechart span=1h count by my_string
Please post a few sample messages to be able to get better help.
From your ONE sample, it's hard to tell the general pattern of the possible log messages, but here's a shot at extracting the interesting string as a field;
sourcetype=A category=CatA | rex "\[\w+\]\s[A-Z.]\s(?<msg_string>[\s\w:]+)" | timechart c by msg_string
If you have a lot of events that do not contain a msg_string, you could insert a search msg_string=* after the rex, but before the timechart/stats/whatever function.
BR
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok.
thanks for the help so far! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Full events, please 🙂
Just mask any sensitive stuff, ip-addresses, accounts etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
updated.
;)
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
