Splunk Search

How to search two different events by two different eventtypes?

sunnyparmar
Communicator

Hi,

I have two different eventtypes in which I have defined two different events given below:

event_attachment contains index=abc sourcetype=xyz "is attachment"
event_extract contains index=abc sourcetype=asd "is Extract"

Both have the same index and sourcetype. Both share the same tag "http-access-in"

Now I want to make one dashboard under which I can grep the value of both different eventtypes "event_attachment" & "event_extract"

My search is something like below, but not getting the exact result:

eventtype="event_attachment" OR eventtype="event_extract"  tag::http-access-in | timechart count by http-access-in

It is giving me the values with the column name "null" with the time frame, but I want to see the both eventtypes in the result output instead of a null column.

Thanks

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in

Or maybe this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in eventtype

Or maybe this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by eventtype

View solution in original post

woodcock
Esteemed Legend

Like this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in

Or maybe this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in eventtype

Or maybe this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by eventtype

woodcock
Esteemed Legend

Try this:

 (eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by eventtype | fields - access_attachment access_event

sunnyparmar
Communicator

Sorry woodcock for replying late as my off is going on.. well your above given query gave me the exact result what I want so once again thanks a lot..

Regards

0 Karma

sunnyparmar
Communicator

Thanks for reply but your first query gave result with null column, second query showing error (Error in 'timechart' command: The argument 'eventtype' is invalid. ) and third query showing result with my desired column names but there are 2 more extra column showing in output that is "access_attachment" and "access_event" because these two also are showing in splunk settings -> eventtypes so how to get out these two from the output?

Regards

0 Karma

grijhwani
Motivator

... | timechart count by eventtype

There is nothing forcing your display-by to be any of your select criteria.

0 Karma

sunnyparmar
Communicator

query showing result with my desired column names but there are 2 more extra column showing in output that is "access_attachment" and "access_event" because these two also are showing in splunk settings -> eventtypes so how to get out these two from the output?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...