Splunk Search

How to search two different events by two different eventtypes?

Communicator

Hi,

I have two different eventtypes in which I have defined two different events given below:

eventattachment contains index=abc sourcetype=xyz "is attachment"
event
extract contains index=abc sourcetype=asd "is Extract"

Both have the same index and sourcetype. Both share the same tag "http-access-in"

Now I want to make one dashboard under which I can grep the value of both different eventtypes "eventattachment" & "eventextract"

My search is something like below, but not getting the exact result:

eventtype="event_attachment" OR eventtype="event_extract"  tag::http-access-in | timechart count by http-access-in

It is giving me the values with the column name "null" with the time frame, but I want to see the both eventtypes in the result output instead of a null column.

Thanks

0 Karma
1 Solution

Esteemed Legend

Like this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in

Or maybe this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in eventtype

Or maybe this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by eventtype

View solution in original post

Esteemed Legend

Like this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in

Or maybe this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by tag::http-access-in eventtype

Or maybe this:

(eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by eventtype

View solution in original post

Esteemed Legend

Try this:

 (eventtype="event_attachment" OR eventtype="event_extract") tag::http-access-in | timechart count by eventtype | fields - access_attachment access_event

Communicator

Sorry woodcock for replying late as my off is going on.. well your above given query gave me the exact result what I want so once again thanks a lot..

Regards

0 Karma

Communicator

Thanks for reply but your first query gave result with null column, second query showing error (Error in 'timechart' command: The argument 'eventtype' is invalid. ) and third query showing result with my desired column names but there are 2 more extra column showing in output that is "accessattachment" and "accessevent" because these two also are showing in splunk settings -> eventtypes so how to get out these two from the output?

Regards

0 Karma

Motivator

... | timechart count by eventtype

There is nothing forcing your display-by to be any of your select criteria.

0 Karma

Communicator

query showing result with my desired column names but there are 2 more extra column showing in output that is "accessattachment" and "accessevent" because these two also are showing in splunk settings -> eventtypes so how to get out these two from the output?

0 Karma