- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use time picker to display the data in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use time picker to display the data in this query with appendcols?
Hi, I have this query:
host="NETAPPA*" sourcetype="WinEventLog:Application" AND AppDomainName= "EcomSubscription.*"AND "ErrorGUID" | timechart span=1h count AS "EcomSubscription" | appendcols [search host=NETAPPA* sourcetype="WinEventLog:Application" AND LogName="Application" AND ExceptionManager_AppDomainName= "Monster.Services.Windows.ServiceBase.exe" | timechart span=1h count AS "MonsterWindowServices" ]
I changed the setting of the shared time picker to last 24 hours and the chart just returns null but when I changed the setting to last 7 days there are results. But from the 7-day results it shows that 'Monster window services' is not null for the last 24 hours. Is it because of the appendcols?
EDIT:I realized when ecomsubsription is null monster window services does not display as well eventhough it is not null? Is there a way to avoid appendcols altogether?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not sure why appending, seems like you are almost searching for the same things, and now all it needed is to sort the counts over time by the "unique search stings"
try this:
(index = <YOUR INDEX HERE> host="NETAPPA*" sourcetype="WinEventLog:Application" AppDomainName= "EcomSubscription.*" "ErrorGUID") OR (index = <YOUR INDEX HERE> host="NETAPPA*" sourcetype="WinEventLog:Application" LogName="Application" AND ExceptionManager_AppDomainName="Monster.Services.Windows.ServiceBase.exe")
| timechart span=1h count(eval(AppDomainName="Monster.Services.Windows.ServiceBase.exe")) as "MonsterWindowServices" count(eval(like(AppDomainName, "EcomSubscription.%"))) as "EcomSubscription"
note: i think there are more consolidation options there, as your search might be "glued" at: ExceptionManager_AppDomainName but i wasnt sure
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I tried the query but it returns 0 results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok its incorrect because monster window services has 0 results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lsy9891 not sure i understand,
if it works for you, kindly mark the question as answered, so others will know.
if it doesnt, please elaborate on what isnt working for you
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
