Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combining charts from different searches

attgjh1
Communicator
‎06-07-2012 11:06 PM

im using something like this:

sourcetype="A" category="CatA" "msg string in my log not stored as a field" | timechart span=1h count(_raw)

this gives me a single charted line which tracks occurrences of that particular log with string specified. I hav several of such lines. However is there a way to save each of this 'search' under a single name so that i can combine them into a single chart?

im not sure if this is possible (i suspect it has to do with eval)? any tips?

EDIT:

Event looks like this: 

6/27/2011 3:47:02 AM    6/27/2011 3:47:02 AM    pss2wlsfe2b [ps2wseb] PS.RR.SV.APP Full GC detected in log file [directory/gc.log] line [254988] (5 occurrences since 11:42:01) CLOSED  WARNING App

so basically, from "Full GC detected in log file [directory/gc.log] line 254988"
they are replacable by the following messages as well.

Warn:Full GC detected in log file line 3

Memory high after full GC (90.19%/90%, next threshold 95%)

Err:Memory high after full GC (80%/75%, next threshold 80%)

basically im looking out for almost the entire main phrase:

"full gc detected in log file"

"memory high after full gc"

"err:memory high after full gc"

to see if they occur at the same time or over diff periods of time

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-08-2012 12:20 AM

I would say that this is possible with rex, i.e. extracting fields on the fly, but it's pretty dependant on how the events are formatted. My idea for doing this is;

sourcetype=A category=CatA "string no 1" OR "string no 2" OR "string no 3" 
| rex "blaha (?<my_string>(string no 1 | string no 2 | string no 3)) blaha" 
| timechart span=1h count by my_string

Please post a few sample messages to be able to get better help.

From your ONE sample, it's hard to tell the general pattern of the possible log messages, but here's a shot at extracting the interesting string as a field;

sourcetype=A category=CatA | rex "\[\w+\]\s[A-Z.]\s(?<msg_string>[\s\w:]+)" | timechart c by msg_string

If you have a lot of events that do not contain a msg_string, you could insert a search msg_string=* after the rex, but before the timechart/stats/whatever function.

BR

Kristian

0 Karma
Reply

attgjh1
Communicator
‎06-10-2012 05:48 PM

ok.
thanks for the help so far! 🙂

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-08-2012 03:39 AM

Full events, please 🙂

Just mask any sensitive stuff, ip-addresses, accounts etc.

0 Karma
Reply

attgjh1
Communicator
‎06-08-2012 01:02 AM

updated.
;)

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...