Splunk Search

How do I get 3 fields on a timechart?

dbcase
Motivator

Hi,

I have data that looks like this:

REBOOT_REASON,EVENT_SUB_TYPE
uc-keypad,etherLoss
uc-keypad,etherLossRes
uc-keypad,etherLoss
uc-keypad,etherLossRes

etc etc etc....

I need to graph these 3 fields over time. I have the graph for the uc-keypad (see below) but trying to figure out how to get 2 more lines. 1 for EVENT_SUB_TYPE=etherLoss and and another for EVENT_SUB_TYPE=etherLossRes

alt text

0 Karma
1 Solution

sundareshr
Legend

Try this

... | timechart span=1h count(eval(EVENT_SUBTYPE="etherLoss")) as eL count(eval(EVENT_SUBTYPE="etherLossRes")) as eLR count as reason

View solution in original post

0 Karma

somesoni2
Revered Legend

Can you share your current search? You want to show count of events with those EVENT_SUB_TYPE values?

0 Karma

sundareshr
Legend

Try this

... | timechart span=1h count(eval(EVENT_SUBTYPE="etherLoss")) as eL count(eval(EVENT_SUBTYPE="etherLossRes")) as eLR count as reason
0 Karma

dbcase
Motivator

Hi Sundareshr,

I tried that one but I think I'm running across either a bug or something I don't understand. Let me try to explain.....

The query looks like this (after your answer)

earliest=-96h index=top10_1 Uc-keypad|timechart span=1h count(eval(EVENT_SUBTYPE="etherLoss")) as eL count(eval(EVENT_SUBTYPE="etherLossRes")) as eLR count as reason

The top10_1 index is made up of several CSV files. The EVENT_SUB_TYPE field is in one CSV source file while REBOOT_REASON is in a different CSV file. When I reference either field in a query the other one "disappears" from the field list and the results of the query for the disappearing field is always 0.

Did that make sense?

0 Karma

dbcase
Motivator

A bit more info. In the query above reason gets graphed but eL and eLR are both 0

0 Karma

dbcase
Motivator

Update

If I remove the search criteria earliest=-96h index=top10_1 Uc-keypad

And then update the query so it looks like this:

earliest=-96h index=top10_1 |timechart span=1h count(eval(EVENT_SUB_TYPE="etherLoss")) as etherLoss count(eval(EVENT_SUB_TYPE="etherLossRes")) as etherLossRes count(eval(REBOOT_REASON="Reason: Uc-keypad hung")) as "UC-Keypad Hung"

It works.... slow.....but it works 🙂

0 Karma

somesoni2
Revered Legend

Try this (may work little better)

earliest=-96h index=top10_1 Uc-keypad OR etherLoss |timechart span=1h count(eval(EVENT_SUB_TYPE="etherLoss")) as etherLoss count(eval(EVENT_SUB_TYPE="etherLossRes")) as etherLossRes count(eval(REBOOT_REASON="Reason: Uc-keypad hung")) as "UC-Keypad Hung"

dbcase
Motivator

Thanks Somesoni2! That one is a bit better (15 seconds) 🙂

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...