Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get results in one chart

tkwaller
Builder
‎09-18-2013 11:14 AM

Hello

I am new to Splunk but have found it quite useful. My question is this:
I have 2 searches that looks in the log and finds a value that is either "RealTime" or "AdvancedSale".

I have tried the search in 2 ways:

  • index=tt OrderIntegration.asmx "PlaceOrderResponse" "RealTime"| timechart span=1d count as NumberofRealTimeListings | join inner [search index=tt OrderIntegration.asmx "PlaceOrderResponse" "AdvancedSale" | timechart span=1d count as NumberofNonRealTimeListings]

Which works but the second search finds only 1 result and lists that on result for the entire span (I run it for a 7 day period)

  • index=tt OrderIntegration.asmx "PlaceOrderResponse" "RealTime"| timechart span=1d count as NumberofRealTimeListings | append [search index=tt OrderIntegration.asmx "PlaceOrderResponse" "AdvancedSale" | timechart span=1d count as NumberofNonRealTimeListings]

This works correctly but appends (which it should) the results to the end of the graph making it a long graph and not placing the two on top of each other.

Any ideas what I am doing incorrectly or what I can do to correct this?
Thank you!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎09-18-2013 12:05 PM

I think you should ditch the second search altogether and merge it into the first instead. Then use eval statements in your timechart to separate the two.

index=tt OrderIntegration.asmx "PlaceOrderResponse" ("RealTime" OR "AdvancedSale") | timechart span=1d count(eval(searchmatch("RealTime"))) as NumberofRealTimeListings, count(eval(searchmatch("AdvancedSale"))) as NumberofNonRealTimeListings

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎09-18-2013 12:05 PM

I think you should ditch the second search altogether and merge it into the first instead. Then use eval statements in your timechart to separate the two.

index=tt OrderIntegration.asmx "PlaceOrderResponse" ("RealTime" OR "AdvancedSale") | timechart span=1d count(eval(searchmatch("RealTime"))) as NumberofRealTimeListings, count(eval(searchmatch("AdvancedSale"))) as NumberofNonRealTimeListings
0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎09-18-2013 01:27 PM

One more question. I would like to know what % of of the total per day is "Advanced Sales" how can I do this using the current format? I'm pretty sure I'm making this harder than it really is.

0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎09-18-2013 12:19 PM

Of course, I knew it had to be something to do with the structure. Thank for the help its greatly appreciated!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...