Splunk Search

Timechart issue

clementros
Path Finder

Hi all,

I have extracted a field (exit_status) in log file. I want to know if a process exit properly.

I have 3 use cases that can be found in log files, exit_status = normaly, exit_status= -1 or exit_status not exist.

I want to have a visualisation wich count the number of exit_status = normaly and the number of file that not exit normaly ( exit_status = -1 + exit_status do not exist)

I don't know how to create a counter of existing value (-1) plus the number of file where exit_status do not exist.

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @clementros,
a little question: have you a process_id that permits to correlate begin process with exit_status?
if yes it's easy to build your search, otherwise you have to find a way to count the executed processes.

In the first case you could have something like this:

index=your_index (process_id=* OR exit_status=*)
| stats values(exit_status) AS exit_status BY process_id
| fillnull value="No exit_status" exit_status
| table process_id exit_status

In the second case you can have only a total of the processes without exit_status.

Ciao.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @clementros,
a little question: have you a process_id that permits to correlate begin process with exit_status?
if yes it's easy to build your search, otherwise you have to find a way to count the executed processes.

In the first case you could have something like this:

index=your_index (process_id=* OR exit_status=*)
| stats values(exit_status) AS exit_status BY process_id
| fillnull value="No exit_status" exit_status
| table process_id exit_status

In the second case you can have only a total of the processes without exit_status.

Ciao.
Giuseppe

clementros
Path Finder

Hi @gcusello

Thank you for your help. The result is good but i do not know how to plot this with a exit_status value count every day

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @clementros,
Try something like this:

index=your_index (process_id=* OR exit_status=*)
| stats earliest(_time) AS _time values(exit_status) AS exit_status BY process_id
| fillnull value="No exit_status" exit_status
| timechart span=1d count BY exit_status

Ciao.
Giuseppe

0 Karma

clementros
Path Finder

It works than you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...