Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use time picker to display the data in ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use time picker to display the data in this query with appendcols?
lsy9891
Engager
09-16-2019
07:19 PM
Hi, I have this query:
host="NETAPPA*" sourcetype="WinEventLog:Application" AND AppDomainName= "EcomSubscription.*"AND "ErrorGUID" | timechart span=1h count AS "EcomSubscription" | appendcols [search host=NETAPPA* sourcetype="WinEventLog:Application" AND LogName="Application" AND ExceptionManager_AppDomainName= "Monster.Services.Windows.ServiceBase.exe" | timechart span=1h count AS "MonsterWindowServices" ]
I changed the setting of the shared time picker to last 24 hours and the chart just returns null but when I changed the setting to last 7 days there are results. But from the 7-day results it shows that 'Monster window services' is not null for the last 24 hours. Is it because of the appendcols?
EDIT:I realized when ecomsubsription is null monster window services does not display as well eventhough it is not null? Is there a way to avoid appendcols altogether?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
09-16-2019
07:50 PM
not sure why appending, seems like you are almost searching for the same things, and now all it needed is to sort the counts over time by the "unique search stings"
try this:
(index = <YOUR INDEX HERE> host="NETAPPA*" sourcetype="WinEventLog:Application" AppDomainName= "EcomSubscription.*" "ErrorGUID") OR (index = <YOUR INDEX HERE> host="NETAPPA*" sourcetype="WinEventLog:Application" LogName="Application" AND ExceptionManager_AppDomainName="Monster.Services.Windows.ServiceBase.exe")
| timechart span=1h count(eval(AppDomainName="Monster.Services.Windows.ServiceBase.exe")) as "MonsterWindowServices" count(eval(like(AppDomainName, "EcomSubscription.%"))) as "EcomSubscription"
note: i think there are more consolidation options there, as your search might be "glued" at: ExceptionManager_AppDomainName but i wasnt sure
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lsy9891
Engager
09-18-2019
12:06 AM
Hi I tried the query but it returns 0 results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lsy9891
Engager
09-18-2019
12:08 AM
Ok its incorrect because monster window services has 0 results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
09-18-2019
02:32 AM
@lsy9891 not sure i understand,
if it works for you, kindly mark the question as answered, so others will know.
if it doesnt, please elaborate on what isnt working for you
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
