Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert base search query that uses stats into a timechart?

lsy9891
Engager
‎09-12-2019 12:25 AM

Hi, I want to display this query in my dashboard in two different charts.

So this is my base search query:
search base="OrderSearch"

host=NETWEBA* sourcetype=iis NOT("ErrorGuid") (sc_status="2**" OR sc_status="3**") "GET" | rex field=cs_referer "https:\/\/[a-zA-Z]+\.[a-zA-Z]+\.([a-zA-Z]+|[a-zA-Z]+.[a-zA-Z]+)\/order20\/order\/confirmation-v2\/(?<orderID>[0-9]+)(.*)"  | dedup orderID |stats count by cs_host

Then I want to display this in a different timechart:

search id="OrderSearch"

timechart span=1h count(orderID) as Number_of_Orders

I tried changing it to eventstats but it didn't work?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-12-2019 05:14 AM

You have your search tags reversed. The base search should useid="OrderSearch" and the post-processing search should use base="OrderSearch".

That said, the timesearch fails because it needs _time and orderID fields, neither of which come out of the base search because stats filters fields to those explicitly mentioned. eventstats should fix that once the fix above is implemented.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lsy9891
Engager
‎09-12-2019 08:40 PM

Hi, I've swapped the base search and post-processing search and changed it to eventstats but then the base search will not display a chart since we can pick the visualization for stats but not eventstats?

Basically, I need the base query to display a pie chart from stats count by cs_host and the post search query to display a timechart. Timechart span=1h count(orderID) as Number_of_Orders

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2019 05:54 AM

Base searches should not create visualizations. Do the visualization in post-processing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...