Splunk Search
Highlighted

How can I compare two search results in one chart?

Explorer

I would like to compare the result count of two search queries in one column chart (one column for each query and day)

The two queries are:
1) index=ex_prod sourcetype=backend /finish status:200 | timechart span=1d count by host
2) index=ex_prod sourcetype=backend /registration status:403 | timechart span=1d count by host

I think I need to store the search results of the two queries in an eval but I couldn't get it work as it is a string search and not just fields. Can anyone help me?

0 Karma
Highlighted

Re: How can I compare two search results in one chart?

SplunkTrust
SplunkTrust

hello there,
hope i understand you r question
try this:

  index=ex_prod sourcetype=backend "/finish" OR "/registration"
    | rex "status\:(?<status>\d{3})"
    | eval host_status = host."-".status
    | timechart span=1d limit=0 count by host_status

hope it helps

Highlighted

Re: How can I compare two search results in one chart?

Explorer

Thank you also for this solution, but it was not exactly what i wanted. This solution gives me a column for each status and I can not differ which url was called. However, with some minor changes, this would also lead to a working solution.

0 Karma
Highlighted

Re: How can I compare two search results in one chart?

SplunkTrust
SplunkTrust

Try this:

index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
| eval type=if((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
| timechart span=1d count by type

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

Highlighted

Re: How can I compare two search results in one chart?

Explorer

This worked almost, I just replaced the "if" with a "case" and it worked perfectly. So the final version would be:

 index=ex_prod sourcetype=backend (/finish status:200) OR (/registration status:403)
 | eval type=case((like(_raw, "%/finish%") AND like(_raw, "%status:200%")), "finish", (like(_raw, "%/registration%") AND like(_raw, "%status:403%")), "registration")
 | timechart span=1d count by type
0 Karma
Highlighted

Re: How can I compare two search results in one chart?

Legend

Instead of conditions like like(_raw, "%/finish%"), searchmatch function can be used:

  searchmatch("finish")



| eval message="Happy Splunking!!!"


Highlighted

Re: How can I compare two search results in one chart?

Explorer

Perfect, thx a lot. This is the keyword I was looking for (also for other stuff).

0 Karma