Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for multiple strings and put into one line chart.

mdavis43
Path Finder
‎09-03-2013 11:16 AM

I have a search that currently has 3 search terms...

host="s2a*" "Command Aborted" OR "Internal queue full" OR "Aborting CMD"

I want to put this into a line chart by number of occurrences returned. One line per search term. Can someone point me in the right direction?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-03-2013 04:59 PM

as per answer from Kristian, here is a regex way to do it (considering that an event has only one of those strings).

host="s2a*" "Command Aborted" OR "Internal queue full" OR "Aborting CMD" | rex "(?< myfabulousfield >(Command Aborted|Internal queue full|Aborting CMD))" | stats count by myfabulousfield

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-03-2013 04:59 PM

as per answer from Kristian, here is a regex way to do it (considering that an event has only one of those strings).

host="s2a*" "Command Aborted" OR "Internal queue full" OR "Aborting CMD" | rex "(?< myfabulousfield >(Command Aborted|Internal queue full|Aborting CMD))" | stats count by myfabulousfield

Reply
Solved! Jump to solution

qtorque95
Explorer
‎10-27-2017 10:12 AM

in the "rex" you meant "regex", right? If "regex" what will be the proper Splunk statement to run your suggested answer? Thanks.

0 Karma
Reply
Solved! Jump to solution

mdavis43
Path Finder
‎09-04-2013 02:48 PM

Thanks, that worked just fine. I replaced stats with timechart and it gave me the results I was looking for.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-03-2013 12:02 PM

You need to extract the strings above into a field, e.g. my_field

then you run your search like;

... | timechart c by my_field

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...