Splunk Search

Get results in one chart

tkwaller
Builder

Hello

I am new to Splunk but have found it quite useful. My question is this:
I have 2 searches that looks in the log and finds a value that is either "RealTime" or "AdvancedSale".

I have tried the search in 2 ways:

  • index=tt OrderIntegration.asmx "PlaceOrderResponse" "RealTime"| timechart span=1d count as NumberofRealTimeListings | join inner [search index=tt OrderIntegration.asmx "PlaceOrderResponse" "AdvancedSale" | timechart span=1d count as NumberofNonRealTimeListings]

Which works but the second search finds only 1 result and lists that on result for the entire span (I run it for a 7 day period)

  • index=tt OrderIntegration.asmx "PlaceOrderResponse" "RealTime"| timechart span=1d count as NumberofRealTimeListings | append [search index=tt OrderIntegration.asmx "PlaceOrderResponse" "AdvancedSale" | timechart span=1d count as NumberofNonRealTimeListings]

This works correctly but appends (which it should) the results to the end of the graph making it a long graph and not placing the two on top of each other.

Any ideas what I am doing incorrectly or what I can do to correct this?
Thank you!

Tags (2)
0 Karma
1 Solution

Ayn
Legend

I think you should ditch the second search altogether and merge it into the first instead. Then use eval statements in your timechart to separate the two.

index=tt OrderIntegration.asmx "PlaceOrderResponse" ("RealTime" OR "AdvancedSale") | timechart span=1d count(eval(searchmatch("RealTime"))) as NumberofRealTimeListings, count(eval(searchmatch("AdvancedSale"))) as NumberofNonRealTimeListings

View solution in original post

0 Karma

Ayn
Legend

I think you should ditch the second search altogether and merge it into the first instead. Then use eval statements in your timechart to separate the two.

index=tt OrderIntegration.asmx "PlaceOrderResponse" ("RealTime" OR "AdvancedSale") | timechart span=1d count(eval(searchmatch("RealTime"))) as NumberofRealTimeListings, count(eval(searchmatch("AdvancedSale"))) as NumberofNonRealTimeListings
0 Karma

tkwaller
Builder

One more question. I would like to know what % of of the total per day is "Advanced Sales" how can I do this using the current format? I'm pretty sure I'm making this harder than it really is.

0 Karma

tkwaller
Builder

Of course, I knew it had to be something to do with the structure. Thank for the help its greatly appreciated!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...