Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my timechart search to show the individual count of 2 strings in one chart?

dl-it-serveradm
Engager
‎01-27-2016 07:14 AM

We are trying to create a Timechart showing the number of occurrences of 2 strings. Here is the search:

index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval("socket write error")) AS SWE, count(eval("java.sql.SQLException")) AS JSE

The results are inaccurate.
For example, on 1/27/2016, there are 6 events that match java.sql.SQLException, with 0 matching "socket write error".
On 1/26/2016 there are 31 events that match java.sql.SQLException, with 4 matching "socket write error".

The results we are getting for each _time appears to be the total occurences for that day, not the individual totals:

_time        SWE   JSE
2016-01-24  0    0
2016-01-25  35  35
2016-01-26  35  35
2016-01-27  6    6

Also, in the visualization, it is showing 2 charts, not 1.

What are we doing wrong?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2016 09:23 AM

Try something like this

index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval(match(_raw,"socket write error"))) AS SWE, count(eval(match(_raw,"java.sql.SQLException"))) AS JSE

Since you're calculating two counts over time,you'll get two series in your chart.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-27-2016 09:23 AM

Try something like this

index="prodXlogs" "socket write error" OR "java.sql.SQLException" | timechart count(eval(match(_raw,"socket write error"))) AS SWE, count(eval(match(_raw,"java.sql.SQLException"))) AS JSE

Since you're calculating two counts over time,you'll get two series in your chart.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...