Splunk Search

How can I compare two search results in one chart?

tiptobi
Explorer

I would like to compare the result count of two search queries in one column chart (one column for each query and day)

The two queries are:
1) index=ex_prod sourcetype=backend /finish status:200 | timechart span=1d count by host
2) index=ex_prod sourcetype=backend /registration status:403 | timechart span=1d count by host

I think I need to store the search results of the two queries in an eval but I couldn't get it work as it is a string search and not just fields. Can anyone help me?

0 Karma
1 Solution

xpac
SplunkTrust
SplunkTrust

Try this:

index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=if((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

xpac
SplunkTrust
SplunkTrust

Try this:

index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=if((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

tiptobi
Explorer

This worked almost, I just replaced the "if" with a "case" and it worked perfectly. So the final version would be:

 index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
 | eval type=case((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
 | timechart span=1d count by type
0 Karma

niketn
Legend

Instead of conditions like like(_raw, "%/finish%"), searchmatch function can be used:

  searchmatch("finish")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tiptobi
Explorer

Perfect, thx a lot. This is the keyword I was looking for (also for other stuff).

0 Karma

adonio
Ultra Champion

hello there,
hope i understand you r question
try this:

  index=ex_prod sourcetype=backend "/finish" OR "/registration"
    | rex "status\:(?<status>\d{3})"
    | eval host_status = host."-".status
    | timechart span=1d limit=0 count by host_status

hope it helps

tiptobi
Explorer

Thank you also for this solution, but it was not exactly what i wanted. This solution gives me a column for each status and I can not differ which url was called. However, with some minor changes, this would also lead to a working solution.

0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...