Splunk Search

How do I get 3 fields on a timechart?

dbcase
Motivator

Hi,

I have data that looks like this:

REBOOT_REASON,EVENT_SUB_TYPE
uc-keypad,etherLoss
uc-keypad,etherLossRes
uc-keypad,etherLoss
uc-keypad,etherLossRes

etc etc etc....

I need to graph these 3 fields over time. I have the graph for the uc-keypad (see below) but trying to figure out how to get 2 more lines. 1 for EVENT_SUB_TYPE=etherLoss and and another for EVENT_SUB_TYPE=etherLossRes

alt text

0 Karma
1 Solution

sundareshr
Legend

Try this

... | timechart span=1h count(eval(EVENT_SUBTYPE="etherLoss")) as eL count(eval(EVENT_SUBTYPE="etherLossRes")) as eLR count as reason

View solution in original post

0 Karma

somesoni2
Revered Legend

Can you share your current search? You want to show count of events with those EVENT_SUB_TYPE values?

0 Karma

sundareshr
Legend

Try this

... | timechart span=1h count(eval(EVENT_SUBTYPE="etherLoss")) as eL count(eval(EVENT_SUBTYPE="etherLossRes")) as eLR count as reason
0 Karma

dbcase
Motivator

Hi Sundareshr,

I tried that one but I think I'm running across either a bug or something I don't understand. Let me try to explain.....

The query looks like this (after your answer)

earliest=-96h index=top10_1 Uc-keypad|timechart span=1h count(eval(EVENT_SUBTYPE="etherLoss")) as eL count(eval(EVENT_SUBTYPE="etherLossRes")) as eLR count as reason

The top10_1 index is made up of several CSV files. The EVENT_SUB_TYPE field is in one CSV source file while REBOOT_REASON is in a different CSV file. When I reference either field in a query the other one "disappears" from the field list and the results of the query for the disappearing field is always 0.

Did that make sense?

0 Karma

dbcase
Motivator

A bit more info. In the query above reason gets graphed but eL and eLR are both 0

0 Karma

dbcase
Motivator

Update

If I remove the search criteria earliest=-96h index=top10_1 Uc-keypad

And then update the query so it looks like this:

earliest=-96h index=top10_1 |timechart span=1h count(eval(EVENT_SUB_TYPE="etherLoss")) as etherLoss count(eval(EVENT_SUB_TYPE="etherLossRes")) as etherLossRes count(eval(REBOOT_REASON="Reason: Uc-keypad hung")) as "UC-Keypad Hung"

It works.... slow.....but it works 🙂

0 Karma

somesoni2
Revered Legend

Try this (may work little better)

earliest=-96h index=top10_1 Uc-keypad OR etherLoss |timechart span=1h count(eval(EVENT_SUB_TYPE="etherLoss")) as etherLoss count(eval(EVENT_SUB_TYPE="etherLossRes")) as etherLossRes count(eval(REBOOT_REASON="Reason: Uc-keypad hung")) as "UC-Keypad Hung"

dbcase
Motivator

Thanks Somesoni2! That one is a bit better (15 seconds) 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...