Splunk Search

How to show to line chart for failureCount, warningCounttimechart by time?

dezmadi
Path Finder

Hi,

 

I am using below query in my Dashboard

index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") | stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart

I want to show to line chart for failureCount, warningCounttimechart by time, I tried appending  timechart span=1d count by failureCount, warningCounttimechart, but of no use

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try changing

| stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart

to

| timechart count by error

View solution in original post

dezmadi
Path Finder

Thanks, it works, However I am doing like below

<search id="pubsubLatencyHighAckDelayDFBaseSearch">
<query>index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure")  </query>
<earliest>$time.earliest$</earliest>

Now I want to append a line in below <row>
<panel>
<title>STATS : SLI/SLO Dashboard count</title>
<table>
<search base="pubsubLatencyHighAckDelayDFBaseSearch"></search>

</table>
</panel>
</row>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>

How can we append line in <search base="pubsubLatencyHighAckDelayDFBaseSearch"></search>?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try changing

| stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart

to

| timechart count by error
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...