Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get 3 fields on a timechart?

dbcase
Motivator
‎09-12-2016 08:48 AM

Hi,

I have data that looks like this:

REBOOT_REASON,EVENT_SUB_TYPE
uc-keypad,etherLoss
uc-keypad,etherLossRes
uc-keypad,etherLoss
uc-keypad,etherLossRes

etc etc etc....

I need to graph these 3 fields over time. I have the graph for the uc-keypad (see below) but trying to figure out how to get 2 more lines. 1 for EVENT_SUB_TYPE=etherLoss and and another for EVENT_SUB_TYPE=etherLossRes

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-12-2016 09:38 AM

Try this

... | timechart span=1h count(eval(EVENT_SUBTYPE="etherLoss")) as eL count(eval(EVENT_SUBTYPE="etherLossRes")) as eLR count as reason

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-12-2016 09:42 AM

Can you share your current search? You want to show count of events with those EVENT_SUB_TYPE values?

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-12-2016 09:38 AM

Try this

... | timechart span=1h count(eval(EVENT_SUBTYPE="etherLoss")) as eL count(eval(EVENT_SUBTYPE="etherLossRes")) as eLR count as reason
0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-12-2016 10:02 AM

Hi Sundareshr,

I tried that one but I think I'm running across either a bug or something I don't understand. Let me try to explain.....

The query looks like this (after your answer)

earliest=-96h index=top10_1 Uc-keypad|timechart span=1h count(eval(EVENT_SUBTYPE="etherLoss")) as eL count(eval(EVENT_SUBTYPE="etherLossRes")) as eLR count as reason

The top10_1 index is made up of several CSV files. The EVENT_SUB_TYPE field is in one CSV source file while REBOOT_REASON is in a different CSV file. When I reference either field in a query the other one "disappears" from the field list and the results of the query for the disappearing field is always 0.

Did that make sense?

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-12-2016 10:04 AM

A bit more info. In the query above reason gets graphed but eL and eLR are both 0

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-12-2016 10:10 AM

Update

If I remove the search criteria earliest=-96h index=top10_1 Uc-keypad

And then update the query so it looks like this:

earliest=-96h index=top10_1 |timechart span=1h count(eval(EVENT_SUB_TYPE="etherLoss")) as etherLoss count(eval(EVENT_SUB_TYPE="etherLossRes")) as etherLossRes count(eval(REBOOT_REASON="Reason: Uc-keypad hung")) as "UC-Keypad Hung"

It works.... slow.....but it works 🙂

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-12-2016 10:27 AM

Try this (may work little better)

earliest=-96h index=top10_1 Uc-keypad OR etherLoss |timechart span=1h count(eval(EVENT_SUB_TYPE="etherLoss")) as etherLoss count(eval(EVENT_SUB_TYPE="etherLossRes")) as etherLossRes count(eval(REBOOT_REASON="Reason: Uc-keypad hung")) as "UC-Keypad Hung"
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-12-2016 10:36 AM

Thanks Somesoni2! That one is a bit better (15 seconds) 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...