Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use time picker to display the data in this query with appendcols?

lsy9891
Engager
‎09-16-2019 07:19 PM

Hi, I have this query:

host="NETAPPA*" sourcetype="WinEventLog:Application" AND AppDomainName= "EcomSubscription.*"AND "ErrorGUID" | timechart span=1h count AS "EcomSubscription" | appendcols [search host=NETAPPA* sourcetype="WinEventLog:Application" AND LogName="Application" AND ExceptionManager_AppDomainName= "Monster.Services.Windows.ServiceBase.exe" | timechart span=1h count AS "MonsterWindowServices" ]

I changed the setting of the shared time picker to last 24 hours and the chart just returns null but when I changed the setting to last 7 days there are results. But from the 7-day results it shows that 'Monster window services' is not null for the last 24 hours. Is it because of the appendcols?

EDIT:I realized when ecomsubsription is null monster window services does not display as well eventhough it is not null? Is there a way to avoid appendcols altogether?

0 Karma
Reply

adonio
Ultra Champion
‎09-16-2019 07:50 PM

not sure why appending, seems like you are almost searching for the same things, and now all it needed is to sort the counts over time by the "unique search stings"

try this:

(index = <YOUR INDEX HERE> host="NETAPPA*" sourcetype="WinEventLog:Application" AppDomainName= "EcomSubscription.*" "ErrorGUID") OR  (index = <YOUR INDEX HERE> host="NETAPPA*" sourcetype="WinEventLog:Application" LogName="Application" AND ExceptionManager_AppDomainName="Monster.Services.Windows.ServiceBase.exe") 
| timechart span=1h count(eval(AppDomainName="Monster.Services.Windows.ServiceBase.exe")) as "MonsterWindowServices" count(eval(like(AppDomainName, "EcomSubscription.%"))) as "EcomSubscription"

note: i think there are more consolidation options there, as your search might be "glued" at: ExceptionManager_AppDomainName but i wasnt sure

hope it helps

0 Karma
Reply

lsy9891
Engager
‎09-18-2019 12:06 AM

Hi I tried the query but it returns 0 results

0 Karma
Reply

lsy9891
Engager
‎09-18-2019 12:08 AM

Ok its incorrect because monster window services has 0 results

0 Karma
Reply

adonio
Ultra Champion
‎09-18-2019 02:32 AM

@lsy9891 not sure i understand,
if it works for you, kindly mark the question as answered, so others will know.
if it doesnt, please elaborate on what isnt working for you

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...