Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I combine my two searches to graph two different fields in one graph?

Spiere
Path Finder
‎01-13-2016 10:21 AM

Hey guys,

I'm trying to create a graph which calculates the number of logs that fit the text critieria I am searching for. I want to have two different fields mapped on the same graph. I can map them separately correctly, but I would like to have them both on the same graph. These are the two searches I am running to create them on two separate graphs. 

sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error"  | top limit=5 DrupalFatal
sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error"  | top limit=5 PhpFatal

I have tried putting then together with a command like:

sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error"  | top limit=5 PhpFatal, DrupalPHPFatal

but it doesnt not return any results. How can I accomplish this task by having both of these graphs combined?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-13-2016 10:36 AM

Depends upon what type of graph you want to use, you can combine both resultset using append or appendcol etc.

sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 DrupalFatal | append [
sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error" | top limit=5 PhpFatal]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-13-2016 10:36 AM

Depends upon what type of graph you want to use, you can combine both resultset using append or appendcol etc.

sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 DrupalFatal | append [
sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error" | top limit=5 PhpFatal]
Reply
Solved! Jump to solution

Spiere
Path Finder
‎01-13-2016 10:42 AM

The graph I am using is a bar graph. Also, trying that command, it tells me that "unknown search command "sourcetype"

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-13-2016 10:50 AM

Do you want to plot both DrupalFatal and PhpFatal in same x-axis? I believe yes, they use this

 sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 DrupalFatal | rename DrupalFatal as Fatal | append [
 sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error" | top limit=5 PhpFatal | rename PhpFatal as Fatal]
0 Karma
Reply
Solved! Jump to solution

Spiere
Path Finder
‎01-13-2016 10:59 AM

The count is on the xaxis since its a sideways graph, but I just want a count of the number of matches in both of those types. Also, that command gives me the same error as above when typed in - "unknown search command "sourcetype"

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-13-2016 11:10 AM

Sorry about the error, missed one keyword.

 sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 DrupalFatal | rename DrupalFatal as Fatal | append [search 
  sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error" | top limit=5 PhpFatal | rename PhpFatal as Fatal]
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...