Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come my trendline is not displaying on a single visualization?

jaj
Path Finder
‎01-21-2019 12:46 PM

How can I get trendline data to show up on a single visualization using the following query? The results come back fine as timechart count, but the panel won't display:

index=ui_logs source="*.logs*" | search ("Start Transaction" "status=COMPLETE")  OR ("Start Transaction" AND "status=FAILED") |
stats count(eval(searchmatch("Start Transaction") AND searchmatch("status=COMPLETE"))) as successCount 
      count(eval(searchmatch("Start Transaction") AND searchmatch("status=FAILED"))) as errorCount |
eval totalCount = successCount + errorCount |
timechart count as totalCount

I would like to map the results to a single trendline display as such:
alt text

Preview file
44 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-21-2019 08:23 PM

@jaj your command with stats is removing _time field which is required by timechart

index=ui_logs source="*.logs*" search ("Start Transaction" "status=COMPLETE")  OR ("Start Transaction" AND "status=FAILED") 
| timechart count(eval(searchmatch("Start Transaction") AND searchmatch("status=COMPLETE"))) as successCount 
       count(eval(searchmatch("Start Transaction") AND searchmatch("status=FAILED"))) as errorCount 
| eval totalCount = successCount + errorCount 
| table _time totalCount

As stated in one of my precious answers, you can directly use the following after your base search:

  | timechart count as totalCount

PS: move your | search ... to the base search as in answer above since the SPL in your question is asking for all the results from index and then filtering required data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-21-2019 08:23 PM

@jaj your command with stats is removing _time field which is required by timechart

index=ui_logs source="*.logs*" search ("Start Transaction" "status=COMPLETE")  OR ("Start Transaction" AND "status=FAILED") 
| timechart count(eval(searchmatch("Start Transaction") AND searchmatch("status=COMPLETE"))) as successCount 
       count(eval(searchmatch("Start Transaction") AND searchmatch("status=FAILED"))) as errorCount 
| eval totalCount = successCount + errorCount 
| table _time totalCount

As stated in one of my precious answers, you can directly use the following after your base search:

  | timechart count as totalCount

PS: move your | search ... to the base search as in answer above since the SPL in your question is asking for all the results from index and then filtering required data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jaj
Path Finder
‎01-22-2019 07:35 AM

@niketnilay thank you again!

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...