Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Multiple timechart counts in one search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple timechart counts in one search
Hey Guys, i have spent all day trying to do this:
So this search:
index=nexus RNA-IVS "login failed" | timechart count
provides me with
date count
mon 8
tue 5
wed 3
Its counting all results with the string "login failed".
NOW, what i need is it to do two string counts of different words so i get this result:
date count1 (login failed) count2 (passed)
mon 8 3
tue 5 2
wed 3 3
please assist 😞
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could try
index=nexus RNA-IVS | rex field=_raw ".login (?\s+)." | timechart count by logstate
make to regexp to match your fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=nexus RNA-IVS "login failed" OR passed
| eval status = if(match(_raw,"(?i)login failed"),"Login failed","Passed")
| timechart count by status
If you want to do this for more fields, that is possible. You could have multiple eval statements with different criteria. As long as you assign the appropriate value to status, the above will work.
However, I think you should consider creating some eventtypes for your data. This would let you categorize the information in a number of ways. Let's say that you named your eventtypes RNA_login_failed, RNA_login_success, RNA_connection_started etc. Now your search would be very simple (and flexible):
index=nexus RNA-IVS eventtype=RNA*
| timechart count by eventtype
And if in the future you create more RNA* eventtypes, this search will automatically pick them up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this, it works great, however can i add more than two fields also? I need about four
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How i wish somebody would answer 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do this for free... and in the middle of the night in my timezone... just sayin'
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
