Re: Timechart 4 variable

sathish2k8 · ‎03-24-2018

index=nil sourcetype="niller" host=*| eval flag=if(timeout>5000,"Timeout","Total")| timechart span=1m count(flag) as number_of_timeouts by flag

Above search string obtains result from both host (host1,host2). If i want to display unified value from both dashboard host=* is working but i want to display from both host and it has to show both total and timeout also.

Please help how.

Thanks. (splunk 7.0)

mayurr98 · ‎03-24-2018

I do not think it is possible through timechart command
Well you need to try something like this

index=nil sourcetype="niller" host=* 
| bin _time span=1m 
| eval flag=if(timeout>5000,"Timeout","Total") 
| stats count(flag) as number_of_timeouts by flag host _time

let me know if this helps!

sathish2k8 · ‎03-25-2018

it is not working my scenario, i want to distinguish both the hosts. this search is working but i have to show 2 different host in same chart. please help

Timechart 4 variable

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation