Solved: Timechart with different bar color

pankajad · ‎07-02-2019

My splunk query is

index=abc "Server started successfully"  OR "Get Operation" OR "POST operation" OR "Error occurred"

I want to get a timechart which shows when each these events occurred. Probably bar having a different color for each event or any other way which lets me identify if there was any "Get Operation" OR "POST Operation" between "Server started successfully" and "Error occurred"

aohls · ‎07-03-2019

Not the cleanest but I should work to get a timechart counting the number of occurrences for each:

| eval result = case(like(_raw, "%Server started successfully%"),"Server started successfully",like(_raw, "%Get Operation%"),"Get Operation",like(_raw, "%POST operation%"),"POST operation",like(_raw, "%Error occurred%"),"Error occurred")
| timechart count(_raw) by result

View solution in original post

aohls · ‎07-03-2019

Not the cleanest but I should work to get a timechart counting the number of occurrences for each:

| eval result = case(like(_raw, "%Server started successfully%"),"Server started successfully",like(_raw, "%Get Operation%"),"Get Operation",like(_raw, "%POST operation%"),"POST operation",like(_raw, "%Error occurred%"),"Error occurred")
| timechart count(_raw) by result

Timechart with different bar color

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Timechart with different bar color

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases