Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Use subsearch for timechart
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use subsearch for timechart
tgdvopab
Path Finder
08-17-2016
01:49 AM
I want to use two evals with subsearches. In the subsearches I would like to use a timechart to count the number of event per day.
At the end, I want to use a third timechart and display the two generated variables.
My code looks like the following:
index=lync_scs source="WinEventLog:Lync Server" | eval id_one = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=4410 | timechart span=1d count as id_one] | eval id_two = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=41113 | timechart span=1d count as id_two] | timechart span=1d values(id*)
Unfortunately, my search doesnt work.
Could you help me please? Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davebrooking
Contributor
08-17-2016
03:12 AM
Hi
I haven't tested this, but could you use something like
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
eval available=if(EventCode!=700 OR EventCode!=702,1,0) |
timechart span=1d sum(available) as available sum(not_available) as not_available
You can also use eval functions within stats/chart/timechart commands, as shown in the Search Manual.
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
timechart span=1d sum(eval(if(EventCode!=700 OR EventCode!=702,1,0))) as available sum(eval(if(EventCode=700 OR EventCode=702,1,0))) as not_available
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tgdvopab
Path Finder
08-17-2016
03:40 AM
Thanks a lot! So I have the following search:
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
eval available=if(EventCode!=700 OR EventCode!=702,1,0) | timechart span=1d sum(available) as available_time, sum(not_available) as not_available_time
I need one field more.
This field is calculated like this:
eval sla = 100 - (not_available_time / available_time)^
Do you know, how can I include this in the timechart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-17-2016
03:55 AM
Just add eval sla = 100 - (not_available_time / available_time) to the end of your query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tgdvopab
Path Finder
08-17-2016
01:55 AM
I forgot the return $id_one and return $id_two after the timechart in the evals
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davebrooking
Contributor
08-17-2016
02:35 AM
Why are you using subsearches? Does the following come close to what you're trying to achieve?
index=lync_scs source="WinEventLog:Lync Server" (EventCode=4410 OR EventCode=41113) | timechart span=1d count by EventCode
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tgdvopab
Path Finder
08-17-2016
02:42 AM
I used the code as an example.
This is my original search:
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application | eval sla=99.9 | eval not_available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application EventCode=700 OR Eventcode=702 | timechart span=1d count as not_available | return $not_available] | eval available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application EventCode!=700 OR Eventcode!=702 | timechart span=1d count as available | return $available] | eval sla2 = 100 - (not_available / available) | timechart span=1d values(*available)
Do you know another way?
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
Hello Splunkers, We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...
May 2026 Splunk Expert Sessions: Security & Observability
Level Up Your Operations: May 2026 Splunk Expert Sessions
Whether you are refining your security posture or ...
Network to App: Observability Unlocked [May & June Series]
In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...
