Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Count and chart two different queries

zebulajams
Explorer
‎01-20-2022 09:26 AM

Hey all,

Newbie here learning Splunk. I'm starting to get into dashboards and want to create either a pie chart or just a simple count of how many times a certain string occurs in a log file.

| stats count("no phase found for entry") count("no work order found")

This returns two columns but they both have 0 in them. But if I just search for each string individually or with an OR statement, it returns all entries (which is around 118 combined).

I've been reading through the Splunk Documentation on stats but can't seem to find an answer on how to combine two counts of anything.

Any help is appreciated!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-20-2022 11:20 AM

Give this a try

Your base search
| stats count(eval(searchmatch("no phase found for entry"))) as count_no_phase count(eval(searchmatch("no work order found"))) as count_no_order

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-20-2022 11:20 AM

Give this a try

Your base search
| stats count(eval(searchmatch("no phase found for entry"))) as count_no_phase count(eval(searchmatch("no work order found"))) as count_no_order
0 Karma
Reply
Solved! Jump to solution

zebulajams
Explorer
‎01-20-2022 12:20 PM

That worked, but I think I discovered a fundamental problem with my search.

As I said, I'm really new to Splunk and didn't know I needed a search at the beginning before I did the stats command. What I did was:

 

"no phase found for entry" OR "no work order found" | stats count(eval(searchmatch("no phase found for entry"))) AS count_no_phase count(eval(searchmatch("no work order found"))) AS count_no_order

 

Before the pipe command, can I just search for anything? Or does it have to match exactly what I'm looking for in the searchmatch?

EDIT: Also, it doesn't look like I can plot these results (50 for count_no_phase & 2 for count_no_order) on something like a pie chart after running that search. It splits them into a table format, but I'm not so sure how to get it onto a pie or line chart.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2022 09:39 AM

The stats count function is counting events in the pipeline. You can affect which ones are counted a number of way. One way might be to count whether a condition is true. For example:

| eval no_phase=if(match(_raw,"no phase found for entry"),1,0)
| eval no_work_order=if(match(_raw,"no phase found for entry"),1,0)
| stats sum(no_phase) as no_phase sum(no_work_order) as no_work_order
0 Karma
Reply
Solved! Jump to solution

zebulajams
Explorer
‎01-20-2022 09:52 AM

Hmm. That didn't seem to work. All it returns is:

No results found. Try expanding the time range.

I expanded to the last 7 days to make sure and it still didn't find anything. I also just tried doing

| eval no_phase=if(match(_raw,"no phase found for entry"),1,0) | stats sum(no_phase) AS phase

This also did not return any results.

Any other ideas?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-20-2022 11:49 AM

Can you share some of the events you are working with?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...