Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I combine my results for two searches to display on a bar graph for comparison?

vrmandadi
Builder
‎04-03-2016 08:38 PM

Hello,

I am trying to join two searches
1)which gives the count for the last three months and
2)which gives the count for the latest month

index=*d*  source="sample_data"  earliest=-3mon@mon latest=-1@mon | rex field=MESSAGE_QUALIFIER "(?\w+)_"| stats count by MESSAGE_TYPE | rename count as last3 | append [search index=*d* source="sample_data"  earliest=-1mon@mon latest=now | rex field=MESSAGE_QUALIFIER "(?\w+)_" | stats count by MESSAGE_TYPE | rename count as last1]

Current output:

MESSAGE_TYPE   last3   last1
CMO            115   
CMP            75    
INQ            403   
NIT            23    
REV            23    
CMP                   15

Expected output:

MESSAGE_TYPE   last3   last1
CMO            115   
CMP            75    15
INQ            403   
NIT                    23    
REV                    23

The expected output when selecting a bar graph should give two bars for CMP side by side, thus making it easy for comparison, right?
alt text

Preview file
7 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-04-2016 11:53 AM

Give these a try

Updated
Recommended

index=*d* source="_sample_data" earliest=-3mon@mon latest=now 
| eval Period=if( _time<relative_time(now(),"-1mon@mon") ,"last1","last3") 
| rex field=MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_"  | chart count over MESSAGE_TYPE by Period

Option 2

index=*d* source="_sample_data" earliest=-3mon@mon latest=-1@mon | rex field=MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_" | stats count as last3 by MESSAGE_TYPE | append [searchindex=*d* source="_sample_data"  earliest=-1mon@mon latest=now | rex field=MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_" | stats count as last1 by MESSAGE_TYPE ]
| stats values(*) as * by MESSAGE_TYPE

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-04-2016 11:53 AM

Give these a try

Updated
Recommended

index=*d* source="_sample_data" earliest=-3mon@mon latest=now 
| eval Period=if( _time<relative_time(now(),"-1mon@mon") ,"last1","last3") 
| rex field=MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_"  | chart count over MESSAGE_TYPE by Period

Option 2

index=*d* source="_sample_data" earliest=-3mon@mon latest=-1@mon | rex field=MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_" | stats count as last3 by MESSAGE_TYPE | append [searchindex=*d* source="_sample_data"  earliest=-1mon@mon latest=now | rex field=MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_" | stats count as last1 by MESSAGE_TYPE ]
| stats values(*) as * by MESSAGE_TYPE
Reply
Solved! Jump to solution

vrmandadi
Builder
‎04-04-2016 12:38 PM

Hello Somesh,

I tried both the queries both the queries gives only the cmp and its count ,but it does not get the results as attached in the screen shot

Sorry I just updated the question both the searches have same sources,and sourcetype

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-04-2016 12:59 PM

Is the rex also same for both the searches OR they differ?? (field=MESSAGE_QUALIFIER to be used in both OR one to use field=MESSAGE_QUALIFIER and other to use field=EWS_MESSAGE_QUALIFIER

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎04-04-2016 01:04 PM

o yes it is same for both of them..once again sorry

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-04-2016 01:23 PM

Well that makes it easy. Try the updated answer.

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎04-04-2016 01:33 PM

Thanks a lot Somesh,just one more question.

what if I want to do the same for a day in a week and compare to the same day in the previous week like monday of this week to the monday of the previous week

Thanks a ton

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎04-04-2016 01:35 PM

can You explain what the below command does

| eval Period=if( _time

0 Karma
Reply
Solved! Jump to solution

jmallorquin
Builder
‎04-04-2016 02:30 AM

Hi,

A easy way to do that is just sum 7,884e+6 seconds to all the events in the query -3m just to bring the events to the same time of the other query.

Then with time chart you will be able to compare the 3 month with the last month.

Hope i help you.

0 Karma
Reply
Solved! Jump to solution

jmallorquin
Builder
‎04-04-2016 10:59 AM

Hi,
No problem try this:

index=d source="sample_data" earliest=-3mon@mon latest=-1@mon | rex field=MESSAGE_QUALIFIER "(?\w+)"  | eval _time=_time+7884000 | eval last="Last 3 month" | append [search index=d source="sample_data_for_splunk_dashboard.json" earliest=-1mon@mon latest=now | rex field=EWS_MESSAGE_QUALIFIER "(?\w+)_"  | eval last="Last month"] | timechart count by last

Hope i help you

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎04-04-2016 12:44 PM

I tried but it is not giving the results as expected in the attached image

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎04-04-2016 10:52 AM

I am very new to splunk and I did not understand your answer

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...