Splunk Search

How can I combine two different chart queries into a single and get count

rkishoreqa
Communicator

Hi all, 

 

I have two chart queries to get the success count and error count which are working as expected.  Now I want to add the both and get the total count from both columns. 

Query 1:  index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="EXCEPTION" |chart count(app) over app by dc(correlationId)

Query 2:  index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="END" |chart count(app) over app by dc(correlationId)

I tried with 'appendcols', but it is not working, can anyone help me on this. 

Thanks in Advance.

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="EXCEPTION" OR tracePoint="END" |chart count(app) over app by tracePoint| addtotals

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="EXCEPTION" OR tracePoint="END" |chart count(app) over app by tracePoint| addtotals

rkishoreqa
Communicator

Thanks @ITWhisperer 
           It worked like a charm.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...