Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do you plot two series (total vs matching condition) to a timechart?

orinciog
New Member
‎11-16-2018 03:59 AM

Hello!

I have an index with events that have a status field. They come in the index in real time. I have a dashboard with a timechart and here I want to plot two series based on the selected input above. This input is a dropdown list consisting of:

  • All the possible values of the status field (extracted with a search)
  • A static value added by me named all and having the value *

In the timechart, I want to have two series, as follows:

  • One for the total count of those events
  • One for the events that match the selected status from the input AND the value is not not found

Until now, I have the following query:

index="my_events" 
| makemv delim="," status
| eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
| timechart
count(_raw) as "All events"
sum(matching) as "Matching events"

This search works for all the values, but not for the all one. If I select all, the "matching" series will always be 0. I tried to use LIKE or a combination between eval and search but I could not get the desired results.

How can I achieve the above described behavior? Where is the mistake in my query or how can I improve it?

Thanks!

Edit:
I also have a panel with a single value to show only the matching events from the previous hour. It looks like this:

earliest=-1h latest=now() index="my_events" 
| makemv delim="," status
| search status!="not found"
| search status="$sourcetype_tok$"
| timechart span=1h count

I want to say that this is working (maybe because * in combination with search works different).

0 Karma
Reply

woodcock
Esteemed Legend
‎11-29-2018 09:56 PM

Change your all value in the dropdown to .+. and change this line:

 | eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)

To this:

 | eval matching=if(status!="not found" AND match(status, "$status_tok$"), 1, 0)

The problem is that the * character is a wildcard with search but a string literal with eval and where.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-30-2018 03:49 AM

This is the right idea, but match expects a regular expression and "*" is not valid regex. I think this will do it

| eval token=if($status_tok$="*", ".*", $status_tok$) | | eval matching=if(status!="not found" AND match(status, 'token'), 1, 0)

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

woodcock
Esteemed Legend
‎11-30-2018 11:49 AM

No, see the first part of my sentence about changing to .+; that's where the RegEx is.

0 Karma
Reply

felipesewaybric
Contributor
‎11-29-2018 03:16 PM

You can try:

 index="my_events" 
 | makemv delim="," status
 | eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
 | timechart
 count as "All events"
 sum(matching) as "Matching events"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...