Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart search and subsearch together

tferro999
New Member
‎10-15-2013 04:46 PM

I'm trying to graph the total number of hits to our website alongside the total number of hits to a subset of pages within the site. I've seen a few examples using eval, stats, and append, but can't seem to make anything work

Here is what I have so far.....

index="iis_logs" 
| eval SearchNumber="cs_uri_stem=/site1* OR cs_uri_stem=/site1a*"
| stats count(cs_uri_stem) by SearchNumber 
| append [search index="iis_logs" 
| eval SearchNumber=
"cs_uri_stem="*subsite1*" OR
cs_uri_stem="*subsite2*" OR
cs_uri_stem="*subsite3*" OR
cs_uri_stem="*subsite4*""
| stats count(cs_uri_stem)]
| timechart span=1h count by SearchNumber
Tags (3)
0 Karma
Reply

tferro999
New Member
‎10-17-2013 10:17 AM

Thanks Hiroshi, that did the trick.

I have a new issue regarding the size of the subsearch. I received a warning that the subsearch was taking longer than 60 secs so I added "maxtime=3660" to resolve that issue.

Now I am getting an error that the subsearch has exceeded 50,000 results so it is being truncated.

Is there a way to modify this search to avoid using a subsearch?

0 Karma
Reply

HiroshiSatoh
Champion
‎10-15-2013 08:42 PM

I have fixed in inferred from the statement of your search.

index="iis_logs" (cs_uri_stem="/site1" OR cs_uri_stem="/site1a")|
eval SearchNumber="site1" | append [search index="iis_logs" (cs_uri_stem="subsite1" OR cs_uri_stem="subsite2" OR cs_uri_stem="subsite3" OR cs_uri_stem="subsite4")| eval SearchNumber="subsite" ] | timechart span=1h count by SearchNumber

(result)
_time site1 subsite
.....
13/10/16 02:00 100 200
13/10/16 03:00 300 400
.....

0 Karma
Reply

HiroshiSatoh
Champion
‎10-17-2013 10:50 PM

Sub search is not required.

index="iis_logs" (cs_uri_stem="/site1" OR cs_uri_stem="/site1a" OR cs_uri_stem="subsite1" OR cs_uri_stem="subsite2" OR cs_uri_stem="subsite3" OR cs_uri_stem="subsite4")|
eval SearchNumber=case(cs_uri_stem=="/site1","site1",cs_uri_stem=="/site1a","site1",cs_uri_stem=="subsite1","subsite",cs_uri_stem=="subsite2","subsite",cs_uri_stem=="subsite3","subsite",cs_uri_stem=="subsite4","subsite") |
| timechart span=1h count by SearchNumber

0 Karma
Reply

tferro999
New Member
‎10-17-2013 10:17 AM

Thanks Hiroshi, that did the trick.

I have a new issue regarding the size of the subsearch. I received a warning that the subsearch was taking longer than 60 secs so I added "maxtime=3660" to resolve that issue.

Now I am getting an error that the subsearch has exceeded 50,000 results so it is being truncated.

Is there a way to modify this search to avoid using a subsearch?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...