Hi ,
Request any help for the below questions:
1) I have two different searches:
sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS
Results:
DEQUEUE_ERROS
100
sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers
Results:
Consumers
200
I want to combine both searches and get results like below:
DEQUEUE_ERROS 100
Consumers 200
Can you please help with the search?
Another question: I'm preparing a dashboard based on the above results and if I click on consumers, it has to execute another search below. Is that possible? If so, can you provide some guidance.
sourcetype=bcd operation=* ConsumerServices="*" host=abcd*p |stats count by ConsumerServices | sort -count
Any help is appreciated!
One option, if your data volume is not too large, would be to use appendcols
. Try this.
sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]
This will give you two columns - DEQUEUE_ERROS & Consumers.
In your dashboard (assuming tabular display), you could use conditional
drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...
So in your case, it would look like this
<drilldown>
<condition field="Consumers">
<link>http://www.google.com</link>
</condition>
</drilldown>
One option, if your data volume is not too large, would be to use appendcols
. Try this.
sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]
This will give you two columns - DEQUEUE_ERROS & Consumers.
In your dashboard (assuming tabular display), you could use conditional
drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...
So in your case, it would look like this
<drilldown>
<condition field="Consumers">
<link>http://www.google.com</link>
</condition>
</drilldown>
Than You ! It is showing the correct statistics , but when it comes to visualization , it is showing up wrong line graph to me , it is showing , x-axis as consumers and Y-axis as Dequeue errors ?