Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to convert base search query that uses stats into a timechart?

lsy9891
Engager
‎09-12-2019 12:25 AM

Hi, I want to display this query in my dashboard in two different charts.

So this is my base search query:
search base="OrderSearch"

host=NETWEBA* sourcetype=iis NOT("ErrorGuid") (sc_status="2**" OR sc_status="3**") "GET" | rex field=cs_referer "https:\/\/[a-zA-Z]+\.[a-zA-Z]+\.([a-zA-Z]+|[a-zA-Z]+.[a-zA-Z]+)\/order20\/order\/confirmation-v2\/(?<orderID>[0-9]+)(.*)"  | dedup orderID |stats count by cs_host

Then I want to display this in a different timechart:

search id="OrderSearch"

timechart span=1h count(orderID) as Number_of_Orders

I tried changing it to eventstats but it didn't work?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-12-2019 05:14 AM

You have your search tags reversed. The base search should useid="OrderSearch" and the post-processing search should use base="OrderSearch".

That said, the timesearch fails because it needs _time and orderID fields, neither of which come out of the base search because stats filters fields to those explicitly mentioned. eventstats should fix that once the fix above is implemented.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lsy9891
Engager
‎09-12-2019 08:40 PM

Hi, I've swapped the base search and post-processing search and changed it to eventstats but then the base search will not display a chart since we can pick the visualization for stats but not eventstats?

Basically, I need the base query to display a pie chart from stats count by cs_host and the post search query to display a timechart. Timechart span=1h count(orderID) as Number_of_Orders

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2019 05:54 AM

Base searches should not create visualizations. Do the visualization in post-processing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...