Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I alter my search for multi (2) line chart that shows as one big line to show "Running" and "Stopped"?

Bleepie
Communicator
‎07-26-2022 01:36 AM

Hello Splunk Community,

I have the following search command:

 

index="myIndex"
host="myHost" 
myScript
Running OR Stopped
| eval running= if(like(_raw, "%Running%"), 1, 0)
| eval stopped= if(like(_raw, "%Stopped%"), 0, 1)
| table _time running stopped
| rename running AS "UP"
| rename stopped AS "DOWN"

 

It looks strange like this:

Bleepie_0-1658824460311.png

There are four events with "Stopped" in it, the rest are all "Running". The script logs either Running or Stopped every 5 minutes. When I hover over the line it reports Down as 1 the entire time even though it should be 0 and only 1 four times. 

How do I adjust this so that it looks like this:

-------------_----------------

________--_________

Where the upper line = Running

And the bottom line = Stopped

 

 

 

 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JacekF
Path Finder
‎07-26-2022 05:04 AM

You've missed two lines from your original query. The entire query should look like this:

index="myIndex"
host="myHost" 
myScript
Running OR Stopped
| eval running= if(like(_raw, "%Running%"), 1, 0)
| eval stopped= if(like(_raw, "%Stopped%"), 0, 1)
| timechart latest(running) as UP latest(stopped) as DOWN span=5m

View solution in original post

0 Karma
Reply
Solved! Jump to solution

JacekF
Path Finder
‎07-26-2022 04:16 AM

Will this meet your requirements?

| makeresults
| eval data = "0,1|1,0|1,0|0,1|1,0|0,1|1,0|1,0|0,1|1,0"
| makemv data delim="|"
| mvexpand data
| makemv data delim=","
| eval UP=mvindex(data,1)
| eval DOWN=mvindex(data, 0)
| fields - data
| streamstats count
| eval _time = relative_time(_time, "+".(count*5)."m")
| fields - count
| timechart latest(DOWN) as DOWN latest(UP) as UP span=5m

Please note that everything up to the timechart command is just to generate some data, you don't need it in your search.

0 Karma
Reply
Solved! Jump to solution

Bleepie
Communicator
‎07-26-2022 04:58 AM

Hi! Thanks for your response,

So it is supposed to be like this? :

index="myIndex"
host="myHost" 
myScript
Running OR Stopped
| timechart latest(DOWN) as DOWN latest(UP) as UP span=5m

If I use this, the events are found but the data UP/DOWN are both never occuring resulting in this:

Bleepie_0-1658836637825.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

JacekF
Path Finder
‎07-26-2022 05:04 AM

You've missed two lines from your original query. The entire query should look like this:

index="myIndex"
host="myHost" 
myScript
Running OR Stopped
| eval running= if(like(_raw, "%Running%"), 1, 0)
| eval stopped= if(like(_raw, "%Stopped%"), 0, 1)
| timechart latest(running) as UP latest(stopped) as DOWN span=5m
0 Karma
Reply
Solved! Jump to solution

Bleepie
Communicator
‎07-26-2022 05:27 AM

Thank you it works!

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...