Splunk Search

How to show to line chart for failureCount, warningCounttimechart by time?

dezmadi
Path Finder

Hi,

 

I am using below query in my Dashboard

index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") | stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart

I want to show to line chart for failureCount, warningCounttimechart by time, I tried appending  timechart span=1d count by failureCount, warningCounttimechart, but of no use

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try changing

| stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart

to

| timechart count by error

View solution in original post

dezmadi
Path Finder

Thanks, it works, However I am doing like below

<search id="pubsubLatencyHighAckDelayDFBaseSearch">
<query>index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure")  </query>
<earliest>$time.earliest$</earliest>

Now I want to append a line in below <row>
<panel>
<title>STATS : SLI/SLO Dashboard count</title>
<table>
<search base="pubsubLatencyHighAckDelayDFBaseSearch"></search>

</table>
</panel>
</row>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>

How can we append line in <search base="pubsubLatencyHighAckDelayDFBaseSearch"></search>?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try changing

| stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart

to

| timechart count by error
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...