Solved: Timespan based output

poddraj · ‎04-28-2020

Hi
Can someone help me in getting o/p over 1h interval along with Total requests count, Success count, Failure count

I have written below query but am not getting the Total count as separate column for every 1h interval span

index=dte_fios sourcetype=dte2_Fios FT=*FT | eval Interval=strftime('_time',"%d-%m-%Y %H:%M:%S")
| eval Status=case(Error_Code=="0000","Success",1=1,"Failure")
| timechart span=1h count by Status

It is giving O/p as
_time Success Failure
2020-04-20 05:00 120 90

I need O/P as
_time Total Failure Success
2020-04-20 05:00 210 90 120

richgalloway · ‎04-28-2020

You're not getting the total count because your query does not mention total count.

index=dte_fios sourcetype=dte2_Fios FT=*FT 
| eval Status=case(Error_Code=="0000","Success",1=1,"Failure")
| timechart span=1h count by Status
| eval Total = Success + Failure
| table _time Total Failure Success

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-28-2020

You're not getting the total count because your query does not mention total count.

index=dte_fios sourcetype=dte2_Fios FT=*FT 
| eval Status=case(Error_Code=="0000","Success",1=1,"Failure")
| timechart span=1h count by Status
| eval Total = Success + Failure
| table _time Total Failure Success

---
If this reply helps you, Karma would be appreciated.

poddraj · ‎04-29-2020

Thanks....

Timespan based output

eval

table

timechart

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off