Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timchart - Search queries

ppurokit
Path Finder
‎05-11-2014 08:16 AM

Hi All,

I have the following search queries with me.

index=XXX CISE_Failed_Attempts | timechart span=30m count by CISE_Failed_Attempts | rename NULL as "Failed Authentication Count"

index=XXX CISE_Passed_Authentications | timechart span=30m count by CISE_Passed_Authentications | rename NULL as "Passed Authentications Count"

Is there a way where i could combine both the queries together into a single query like the following

index=XXX CISE_Passed_Authentications OR CISE_Failed_Attempts | timechart span=30m count by CISE_Passed_Authentications , CISE_Failed_Attempts

Individually the search queries work fine. But when i try to do a timechart with two fields it fails.

Please suggest a way to overcome this issue.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-11-2014 08:29 AM

The most naive way to combine the two would be appendcols:

index=XXX CISE_Failed_Attempts | timechart span=30m count by CISE_Failed_Attempts | rename NULL as "Failed Authentication Count"
| appendcols 
[ search index=XXX CISE_Passed_Authentications | timechart span=30m count by CISE_Passed_Authentications | rename NULL as "Passed Authentications Count" ]

Depending on your data, you may be able to combine the two more smartly, for example like this:

index=XXX CISE_Failed_Attempts OR CISE_Passed_Authentications | eval CISE_Combined = coalesce(CISE_Failed_Attempts, CISE_Passed_Authentications) | timechart span=30m count by CISE_Combined

Note, I've assumed that those two fields have reasonable values... I'm doubting that assumption a bit because of your use of the NULL column. Post some sample data to investigate that.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-11-2014 09:47 AM

What values do those two fields CISE_Failed_Attempts and CISE_Passed_Authentications have that you use to group by? If their values are distinct then combining them before the timechart will still yield their distinct values for each column.

0 Karma
Reply

ppurokit
Path Finder
‎05-11-2014 09:45 AM

I hope i cant make use of the coalesce command because both are combined together into a single column. But i need both to be separate.

As said i can make use of the said appendcols,but fear that im executing two searches at the same time which could take more time to run.

0 Karma
Reply

ppurokit
Path Finder
‎05-11-2014 09:39 AM

Thanks for the update. Actually my intention is to combine these into a single query and put it into a summary index using sitimechart command and then again write a query to populate back the dashboard,

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...