Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I compare two search results in one chart?

tiptobi
Explorer
‎05-23-2018 04:59 AM

I would like to compare the result count of two search queries in one column chart (one column for each query and day)

The two queries are:
1) index=ex_prod sourcetype=backend /finish status:200 | timechart span=1d count by host
2) index=ex_prod sourcetype=backend /registration status:403 | timechart span=1d count by host

I think I need to store the search results of the two queries in an eval but I couldn't get it work as it is a string search and not just fields. Can anyone help me?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-23-2018 05:50 AM

Try this:

index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=if((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-23-2018 05:50 AM

Try this:

index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=if((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Reply
Solved! Jump to solution

tiptobi
Explorer
‎05-23-2018 06:20 AM

This worked almost, I just replaced the "if" with a "case" and it worked perfectly. So the final version would be:

 index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
 | eval type=case((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
 | timechart span=1d count by type
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-23-2018 06:28 AM

Instead of conditions like like(_raw, "%/finish%"), searchmatch function can be used:

  searchmatch("finish")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

tiptobi
Explorer
‎05-23-2018 06:52 AM

Perfect, thx a lot. This is the keyword I was looking for (also for other stuff).

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-23-2018 05:48 AM

hello there,
hope i understand you r question
try this: 

  index=ex_prod sourcetype=backend "/finish" OR "/registration"
    | rex "status\:(?<status>\d{3})"
    | eval host_status = host."-".status
    | timechart span=1d limit=0 count by host_status

hope it helps

Reply
Solved! Jump to solution

tiptobi
Explorer
‎05-23-2018 06:23 AM

Thank you also for this solution, but it was not exactly what i wanted. This solution gives me a column for each status and I can not differ which url was called. However, with some minor changes, this would also lead to a working solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...