Splunk Search

How can I compare two search results in one chart?

tiptobi
Explorer

I would like to compare the result count of two search queries in one column chart (one column for each query and day)

The two queries are:
1) index=ex_prod sourcetype=backend /finish status:200 | timechart span=1d count by host
2) index=ex_prod sourcetype=backend /registration status:403 | timechart span=1d count by host

I think I need to store the search results of the two queries in an eval but I couldn't get it work as it is a string search and not just fields. Can anyone help me?

0 Karma
1 Solution

xpac
SplunkTrust
SplunkTrust

Try this:

index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=if((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

xpac
SplunkTrust
SplunkTrust

Try this:

index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=if((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

tiptobi
Explorer

This worked almost, I just replaced the "if" with a "case" and it worked perfectly. So the final version would be:

 index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
 | eval type=case((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
 | timechart span=1d count by type
0 Karma

niketn
Legend

Instead of conditions like like(_raw, "%/finish%"), searchmatch function can be used:

  searchmatch("finish")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tiptobi
Explorer

Perfect, thx a lot. This is the keyword I was looking for (also for other stuff).

0 Karma

adonio
Ultra Champion

hello there,
hope i understand you r question
try this:

  index=ex_prod sourcetype=backend "/finish" OR "/registration"
    | rex "status\:(?<status>\d{3})"
    | eval host_status = host."-".status
    | timechart span=1d limit=0 count by host_status

hope it helps

tiptobi
Explorer

Thank you also for this solution, but it was not exactly what i wanted. This solution gives me a column for each status and I can not differ which url was called. However, with some minor changes, this would also lead to a working solution.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...