Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my timechart search to show the individual count of 2 strings in one chart?

dl-it-serveradm
Engager
‎01-27-2016 07:14 AM

We are trying to create a Timechart showing the number of occurrences of 2 strings. Here is the search:

index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval("socket write error")) AS SWE, count(eval("java.sql.SQLException")) AS JSE

The results are inaccurate.
For example, on 1/27/2016, there are 6 events that match java.sql.SQLException, with 0 matching "socket write error".
On 1/26/2016 there are 31 events that match java.sql.SQLException, with 4 matching "socket write error".

The results we are getting for each _time appears to be the total occurences for that day, not the individual totals:

_time        SWE   JSE
2016-01-24  0    0
2016-01-25  35  35
2016-01-26  35  35
2016-01-27  6    6

Also, in the visualization, it is showing 2 charts, not 1.

What are we doing wrong?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2016 09:23 AM

Try something like this

index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval(match(_raw,"socket write error"))) AS SWE, count(eval(match(_raw,"java.sql.SQLException"))) AS JSE

Since you're calculating two counts over time,you'll get two series in your chart.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2016 09:23 AM

Try something like this

index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval(match(_raw,"socket write error"))) AS SWE, count(eval(match(_raw,"java.sql.SQLException"))) AS JSE

Since you're calculating two counts over time,you'll get two series in your chart.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...