Solved: Re: How to edit my timechart search to show the in...

dl-it-serveradm · ‎01-27-2016

We are trying to create a Timechart showing the number of occurrences of 2 strings. Here is the search:

index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval("socket write error")) AS SWE, count(eval("java.sql.SQLException")) AS JSE

The results are inaccurate.
For example, on 1/27/2016, there are 6 events that match java.sql.SQLException, with 0 matching "socket write error".
On 1/26/2016 there are 31 events that match java.sql.SQLException, with 4 matching "socket write error".

The results we are getting for each _time appears to be the total occurences for that day, not the individual totals:

_time        SWE   JSE
2016-01-24  0    0
2016-01-25  35  35
2016-01-26  35  35
2016-01-27  6    6

Also, in the visualization, it is showing 2 charts, not 1.

What are we doing wrong?

Thanks!

somesoni2 · ‎01-27-2016

Try something like this

index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval(match(_raw,"socket write error"))) AS SWE, count(eval(match(_raw,"java.sql.SQLException"))) AS JSE

Since you're calculating two counts over time,you'll get two series in your chart.

View solution in original post

somesoni2 · ‎01-27-2016

Try something like this

index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval(match(_raw,"socket write error"))) AS SWE, count(eval(match(_raw,"java.sql.SQLException"))) AS JSE

Since you're calculating two counts over time,you'll get two series in your chart.

How to edit my timechart search to show the individual count of 2 strings in one chart?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms