Hi,
I have two different eventtypes in which I have defined two different events given below:
event_attachment contains index=abc sourcetype=xyz "is attachment"
event_extract contains index=abc sourcetype=asd "is Extract"
Both have the same index and sourcetype. Both share the same tag "http-access-in"
Now I want to make one dashboard under which I can grep the value of both different eventtypes "event_attachment" & "event_extract"
My search is something like below, but not getting the exact result:
eventtype="event_attachment" OR eventtype="event_extract" tag::http-access-in | timechart count by http-access-in
It is giving me the values with the column name "null" with the time frame, but I want to see the both eventtypes in the result output instead of a null column.
Thanks
Like this:
(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in
Or maybe this:
(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in eventtype
Or maybe this:
(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by eventtype
Like this:
(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in
Or maybe this:
(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in eventtype
Or maybe this:
(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by eventtype
Try this:
(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by eventtype | fields - access_attachment access_event
Sorry woodcock for replying late as my off is going on.. well your above given query gave me the exact result what I want so once again thanks a lot..
Regards
Thanks for reply but your first query gave result with null column, second query showing error (Error in 'timechart' command: The argument 'eventtype' is invalid. ) and third query showing result with my desired column names but there are 2 more extra column showing in output that is "access_attachment" and "access_event" because these two also are showing in splunk settings -> eventtypes so how to get out these two from the output?
Regards
... | timechart count by eventtype
There is nothing forcing your display-by to be any of your select criteria.
query showing result with my desired column names but there are 2 more extra column showing in output that is "access_attachment" and "access_event" because these two also are showing in splunk settings -> eventtypes so how to get out these two from the output?