Splunk Search

How do you plot two series (total vs matching condition) to a timechart?

New Member

Hello!

I have an index with events that have a status field. They come in the index in real time. I have a dashboard with a timechart and here I want to plot two series based on the selected input above. This input is a dropdown list consisting of:

  • All the possible values of the status field (extracted with a search)
  • A static value added by me named all and having the value *

In the timechart, I want to have two series, as follows:

  • One for the total count of those events
  • One for the events that match the selected status from the input AND the value is not not found

Until now, I have the following query:

index="my_events" 
| makemv delim="," status
| eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
| timechart
count(_raw) as "All events"
sum(matching) as "Matching events"

This search works for all the values, but not for the all one. If I select all, the "matching" series will always be 0. I tried to use LIKE or a combination between eval and search but I could not get the desired results.

How can I achieve the above described behavior? Where is the mistake in my query or how can I improve it?

Thanks!

Edit:
I also have a panel with a single value to show only the matching events from the previous hour. It looks like this:

earliest=-1h latest=now() index="my_events" 
| makemv delim="," status
| search status!="not found"
| search status="$sourcetype_tok$"
| timechart span=1h count

I want to say that this is working (maybe because * in combination with search works different).

0 Karma

Esteemed Legend

Change your all value in the dropdown to .+. and change this line:

 | eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)

To this:

 | eval matching=if(status!="not found" AND match(status, "$status_tok$"), 1, 0)

The problem is that the * character is a wildcard with search but a string literal with eval and where.

SplunkTrust
SplunkTrust

This is the right idea, but match expects a regular expression and "*" is not valid regex. I think this will do it

| eval token=if($status_tok$="*", ".*", $status_tok$) | | eval matching=if(status!="not found" AND match(status, 'token'), 1, 0)

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Esteemed Legend

No, see the first part of my sentence about changing to .+; that's where the RegEx is.

0 Karma

Contributor

You can try:

 index="my_events" 
 | makemv delim="," status
 | eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
 | timechart
 count as "All events"
 sum(matching) as "Matching events"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!