Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining two search and charting successfull event and errors in one chart.

kermit_maness
Engager
‎05-23-2021 07:31 AM

Hello everyone,

Seeking your help. I have  logs where Transaction_ID is unique to  transaction. Depending on each transaction there can be multiple action. But if there is an error there would be a log generated with Action=Error.

I have created two search 

One for successfull creation of transaction:

`base_search` | search action=Error | timechart distinct_count(Transaction_ID) as Successfull

And for errors.

`base_search` | search action!=Error | timechart distinct_count(Transaction_ID) as Error.

I would like to simply display these two in one chart to see number of successfull events vs failed. What would be the best method to combine these two ?

 

Appreciate any guidance.

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2021 09:17 AM

It is not clear what time value you want to chart so I have assumed the last time for the transaction, I have also assumed you want daily counts. Gather the actions per transaction, and set status based on whether "error" is one of the status for the transaction.

| stats values(actions) as actions last(_time) as _time by transactionid
| eval status=if(match(actions,"error"),"Error","Successful")
| timechart span=1d dc(transactionid) by status

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2021 09:17 AM

It is not clear what time value you want to chart so I have assumed the last time for the transaction, I have also assumed you want daily counts. Gather the actions per transaction, and set status based on whether "error" is one of the status for the transaction.

| stats values(actions) as actions last(_time) as _time by transactionid
| eval status=if(match(actions,"error"),"Error","Successful")
| timechart span=1d dc(transactionid) by status
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...