Splunk Search

How do I combine my two searches to graph two different fields in one graph?

Path Finder

Hey guys,

I'm trying to create a graph which calculates the number of logs that fit the text critieria I am searching for. I want to have two different fields mapped on the same graph. I can map them separately correctly, but I would like to have them both on the same graph. These are the two searches I am running to create them on two separate graphs.

sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error"  | top limit=5 DrupalFatal
sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error"  | top limit=5 PhpFatal

I have tried putting then together with a command like:

sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error"  | top limit=5 PhpFatal, DrupalPHPFatal

but it doesnt not return any results. How can I accomplish this task by having both of these graphs combined?

Thanks.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Depends upon what type of graph you want to use, you can combine both resultset using append or appendcol etc.

sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 DrupalFatal | append [
sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error" | top limit=5 PhpFatal]

View solution in original post

SplunkTrust
SplunkTrust

Depends upon what type of graph you want to use, you can combine both resultset using append or appendcol etc.

sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 DrupalFatal | append [
sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error" | top limit=5 PhpFatal]

View solution in original post

Path Finder

The graph I am using is a bar graph. Also, trying that command, it tells me that "unknown search command "sourcetype"

0 Karma

SplunkTrust
SplunkTrust

Do you want to plot both DrupalFatal and PhpFatal in same x-axis? I believe yes, they use this

 sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 DrupalFatal | rename DrupalFatal as Fatal | append [
 sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error" | top limit=5 PhpFatal | rename PhpFatal as Fatal]
0 Karma

Path Finder

The count is on the xaxis since its a sideways graph, but I just want a count of the number of matches in both of those types. Also, that command gives me the same error as above when typed in - "unknown search command "sourcetype"

0 Karma

SplunkTrust
SplunkTrust

Sorry about the error, missed one keyword.

 sourcetype=testing DrupalPHPFatal="Error: PHP FATAL Error" | top limit=5 DrupalFatal | rename DrupalFatal as Fatal | append [search 
  sourcetype=testing PhpFatal="Fatal error"="PHP Fatal Error" | top limit=5 PhpFatal | rename PhpFatal as Fatal]
0 Karma