Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get results in one chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I am new to Splunk but have found it quite useful. My question is this:
I have 2 searches that looks in the log and finds a value that is either "RealTime" or "AdvancedSale".
I have tried the search in 2 ways:
- index=tt OrderIntegration.asmx "PlaceOrderResponse" "RealTime"| timechart span=1d count as NumberofRealTimeListings | join inner [search index=tt OrderIntegration.asmx "PlaceOrderResponse" "AdvancedSale" | timechart span=1d count as NumberofNonRealTimeListings]
Which works but the second search finds only 1 result and lists that on result for the entire span (I run it for a 7 day period)
- index=tt OrderIntegration.asmx "PlaceOrderResponse" "RealTime"| timechart span=1d count as NumberofRealTimeListings | append [search index=tt OrderIntegration.asmx "PlaceOrderResponse" "AdvancedSale" | timechart span=1d count as NumberofNonRealTimeListings]
This works correctly but appends (which it should) the results to the end of the graph making it a long graph and not placing the two on top of each other.
Any ideas what I am doing incorrectly or what I can do to correct this?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you should ditch the second search altogether and merge it into the first instead. Then use eval statements in your timechart to separate the two.
index=tt OrderIntegration.asmx "PlaceOrderResponse" ("RealTime" OR "AdvancedSale") | timechart span=1d count(eval(searchmatch("RealTime"))) as NumberofRealTimeListings, count(eval(searchmatch("AdvancedSale"))) as NumberofNonRealTimeListings
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you should ditch the second search altogether and merge it into the first instead. Then use eval statements in your timechart to separate the two.
index=tt OrderIntegration.asmx "PlaceOrderResponse" ("RealTime" OR "AdvancedSale") | timechart span=1d count(eval(searchmatch("RealTime"))) as NumberofRealTimeListings, count(eval(searchmatch("AdvancedSale"))) as NumberofNonRealTimeListings
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more question. I would like to know what % of of the total per day is "Advanced Sales" how can I do this using the current format? I'm pretty sure I'm making this harder than it really is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course, I knew it had to be something to do with the structure. Thank for the help its greatly appreciated!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
