- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Count and chart two different queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey all,
Newbie here learning Splunk. I'm starting to get into dashboards and want to create either a pie chart or just a simple count of how many times a certain string occurs in a log file.
| stats count("no phase found for entry") count("no work order found")This returns two columns but they both have 0 in them. But if I just search for each string individually or with an OR statement, it returns all entries (which is around 118 combined).
I've been reading through the Splunk Documentation on stats but can't seem to find an answer on how to combine two counts of anything.
Any help is appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
Your base search
| stats count(eval(searchmatch("no phase found for entry"))) as count_no_phase count(eval(searchmatch("no work order found"))) as count_no_order- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
Your base search
| stats count(eval(searchmatch("no phase found for entry"))) as count_no_phase count(eval(searchmatch("no work order found"))) as count_no_order- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked, but I think I discovered a fundamental problem with my search.
As I said, I'm really new to Splunk and didn't know I needed a search at the beginning before I did the stats command. What I did was:
"no phase found for entry" OR "no work order found" | stats count(eval(searchmatch("no phase found for entry"))) AS count_no_phase count(eval(searchmatch("no work order found"))) AS count_no_order
Before the pipe command, can I just search for anything? Or does it have to match exactly what I'm looking for in the searchmatch?
EDIT: Also, it doesn't look like I can plot these results (50 for count_no_phase & 2 for count_no_order) on something like a pie chart after running that search. It splits them into a table format, but I'm not so sure how to get it onto a pie or line chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The stats count function is counting events in the pipeline. You can affect which ones are counted a number of way. One way might be to count whether a condition is true. For example:
| eval no_phase=if(match(_raw,"no phase found for entry"),1,0)
| eval no_work_order=if(match(_raw,"no phase found for entry"),1,0)
| stats sum(no_phase) as no_phase sum(no_work_order) as no_work_order- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm. That didn't seem to work. All it returns is:
No results found. Try expanding the time range.I expanded to the last 7 days to make sure and it still didn't find anything. I also just tried doing
| eval no_phase=if(match(_raw,"no phase found for entry"),1,0) | stats sum(no_phase) AS phaseThis also did not return any results.
Any other ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share some of the events you are working with?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
