Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I create a chart based on two separate searches?

julescarney
New Member
‎09-24-2013 10:25 AM

I'm trying to create a chart like the one below, that shows the count for events containing errorname A, errorname B, etc. for each url. Basically in my application there are sessions - some of the events in the sessions contain url, and some contain errornames.

url    |   errorname    | count

http..a |   error.A        | 37

      |   error.B        | 20

http..b |   error.A        | 1

      |   error.B        | 13

I can get a count of sessions with any error by url with this query:

url[search CASE(ERROR.)|fields sessionid | format] | stats count by url

I can get a count of events by errorname with this:

name [search CASE(ERROR.) AND platformtype="CCX*"| fields eventid | format] | stats count by name

But I can't get counts of each errorname for each url. Thanks for any help.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎09-27-2013 01:15 PM

What if you did something like this?

yoursearchhere
| transaction sessionid
| search CASE(ERROR.)
| stats count by url name

This groups all the events for a session into a single event (transaction). Then it keeps only the transactions that have the ERROR. term. And finally it does the count.

0 Karma
Reply

julescarney
New Member
‎09-24-2013 11:07 AM

Thanks for the reply.

The query you posted gives me 0 results, though if I do

CASE(ERROR.) platformtype="CCX*"| stats count by name

I get a count of the events with each errorname.

Each unique session has a url. Each error event is part of a session, so that first query I posted above finds the urls for all the sessions that had errors, then does the count of events by url.

Each event that contains an error has an errorname ("name"). However, non-error events also have names.

What I'm trying to chart is this: for each url, how many events contained each errorname.

Thanks again.

0 Karma
Reply

lguinn2
Legend
‎09-24-2013 10:45 AM

What happens if you do this?

CASE(ERROR.) platformtype="CCX*"
| stats count by url name

And if this isn't what you want, then my question is - how do you associate the urls with the error names?

0 Karma
Reply

julescarney
New Member
‎09-24-2013 11:07 AM

Thanks for the reply.

The query you posted gives me 0 results, though if I do

CASE(ERROR.) platformtype="CCX*"| stats count by name

I get a count of the events with each errorname.

Each unique session has a url. Each error event is part of a session, so that first query I posted above finds the urls for all the sessions that had errors, then does the count of events by url.

Each event that contains an error has an errorname ("name"). However, non-error events also have names.

What I'm trying to chart is this: for each url, how many events contained each errorname.

Thanks again.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...