Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart based on max count of 3 fields

erica
Explorer
‎11-29-2021 02:42 AM

I was given a base search to manipulate and create Timechart accordingly.

base search
| eval file_line = file.":".line
| eval errorList = message . ":" . file_line . ":" . level
| top 25 message,file_line,level by applicationBuild
| table applicationBuild level count file_line message

The result was formatted as such

build2021ERROR8file1.java:111ErrorMessage123
build2021ERROR4file2.java:123ErrorMessage456
build2021ERROR3file3.java:456ErrorMessage789

 

I want to plot a Timechart from the above result. Output should be Top 25 Error message above against time.

I came out with

base search 
| eval file_line = file.":".line
| eval errorList = message.";".file_line.";".level
| where errorList!="null"
| timechart useother=f usenull=f count max(message,file_line,level,applicationBuild) by errorList limit=25

 

The legend of the result will append "count: " in front of the errorList that I cannot remove.

Any idea how can I remove this from the legend?

OR

are there better ways to achieve the same result?

erica_1-1638182325631.png

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 02:55 AM

It is because you're calculating two separate statistics for each timepoints and in order to allow you to distinguish between them splunk calls them by the aggregation function you used.

You can add

| rename "count: *" as *

to remove the "count:" part from the column names.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 02:55 AM

It is because you're calculating two separate statistics for each timepoints and in order to allow you to distinguish between them splunk calls them by the aggregation function you used.

You can add

| rename "count: *" as *

to remove the "count:" part from the column names.

0 Karma
Reply
Solved! Jump to solution

erica
Explorer
‎11-29-2021 03:20 AM

Thank you! this solve my problem 

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...