- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to append 3 timecharts to one search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to append 3 timecharts to one search?
Hi,
I want to count the number of events returned based on application source and display them as different timecharts. I realized appendcols only appends two timecharts and it is rather inefficient as many terms are repeated. For example, host, errorguid etc. Is there a way for me to append the third chart "TalentAnalyzer" as well?
earliest=-1d@d latest=@d host=NETWEBA* sourcetype="WinEventLog:Application" AND ApplicationSource="/api/tcrm*" AND "ErrorGUID" | timechart span=1h count AS "Api.TCRM" | appendcols [search earliest=-1d@d latest=@d host=NETWEBA* sourcetype="WinEventLog:Application" AND ApplicationSource="/jcm*" AND "ErrorGUID" | timechart span=1h count AS "JCM" ] | appendcols [search earliest=-1d@d latest=@d host=NETWEBA* sourcetype="WinEventLog:Application" AND ApplicationSource="/TalentAnalyzer*" AND "ErrorGUID" | timechart span=1h count AS "TalentAnalyzer" ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lsy9891,
Try something like this instead of using appeds :
earliest=-1d@d latest=@d host=NETWEBA* sourcetype="WinEventLog:Application" "ErrorGUID" ( ApplicationSource="/api/tcrm*" OR ApplicationSource="/TalentAnalyzer*" ApplicationSource="/jcm*")
| eval App= case(match(ApplicationSource,"/api/tcrm*"),"Api.TCRM", match(ApplicationSource,"/jcm*"),"JCM",match(ApplicationSource,"/TalentAnalyzer*"),"TalentAnalyzer")
| timechart span=1h count by App
Let me know if that helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried that query and it returns 0 events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a missing OR between app source of jcm and talentanalyzer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does talentanalyzer appear as Null in the graph?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I realized it's because it returns 0 events for the time frame. Can it still display as "Talentanalyzer" even if it returns 0 events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey hey,
Glad it worked out for you, have you tried fillnull to add zeros to null values ? That should help fix your remaining issue.
Cheers,
David
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...
