Splunk Search

Splunk combine timechart result from two queries

officialsubho
New Member

Have the following queries

query 1 - cf_org_name="xxx" cf_space_name="yyy" cf_app_name=zzz index=123* msg= "Transaction completed" | timechart count AS Succesfull_Tran span=60m

query 2 - cf_org_name="xxx" cf_space_name="yyy" cf_app_name=zzz index=123* msg= "ERROR" | timechart count AS Failed_Tran span=60m

Need help to combine the resultset into a single timechart table . Tried append and it dosent not give the desired output .

Desired Output

_time | Succesfull_Tran | Failed_Tran

0 Karma

woodcock
Esteemed Legend

Like this:

index="123*" AND cf_org_name="xxx" AND cf_space_name="yyy" AND cf_app_name="zzz" 
| timechart span=60m count(eval(msg="ERROR")) AS Failed_Tran count(eval(msg="Transaction completed")) AS Succesfull_Tran 
0 Karma

Anantha123
Communicator

Hi,

Try this too

cf_org_name="xxx" cf_space_name="yyy" cf_app_name=zzz index=123*
| timechart span=1h count as Total , count(eval(msg="Transaction completed")) as Succesfull_Tran , count(eval(msg="ERROR")) as Failed_Tran

0 Karma

jacobpevans
Motivator

| timechart span=60m count by msg

You can also create a new variable and timechart by that

| eval Success = if(msg="Transaction Completed","Success","Error")
| timechart span=60m count by Success

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...