Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Use subsearch for timechart
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use subsearch for timechart
tgdvopab
Path Finder
08-17-2016
01:49 AM
I want to use two evals with subsearches. In the subsearches I would like to use a timechart to count the number of event per day.
At the end, I want to use a third timechart and display the two generated variables.
My code looks like the following:
index=lync_scs source="WinEventLog:Lync Server" | eval id_one = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=4410 | timechart span=1d count as id_one] | eval id_two = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=41113 | timechart span=1d count as id_two] | timechart span=1d values(id*)
Unfortunately, my search doesnt work.
Could you help me please? Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davebrooking
Contributor
08-17-2016
03:12 AM
Hi
I haven't tested this, but could you use something like
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
eval available=if(EventCode!=700 OR EventCode!=702,1,0) |
timechart span=1d sum(available) as available sum(not_available) as not_available
You can also use eval functions within stats/chart/timechart commands, as shown in the Search Manual.
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
timechart span=1d sum(eval(if(EventCode!=700 OR EventCode!=702,1,0))) as available sum(eval(if(EventCode=700 OR EventCode=702,1,0))) as not_available
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tgdvopab
Path Finder
08-17-2016
03:40 AM
Thanks a lot! So I have the following search:
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
eval available=if(EventCode!=700 OR EventCode!=702,1,0) | timechart span=1d sum(available) as available_time, sum(not_available) as not_available_time
I need one field more.
This field is calculated like this:
eval sla = 100 - (not_available_time / available_time)^
Do you know, how can I include this in the timechart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-17-2016
03:55 AM
Just add eval sla = 100 - (not_available_time / available_time) to the end of your query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tgdvopab
Path Finder
08-17-2016
01:55 AM
I forgot the return $id_one and return $id_two after the timechart in the evals
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davebrooking
Contributor
08-17-2016
02:35 AM
Why are you using subsearches? Does the following come close to what you're trying to achieve?
index=lync_scs source="WinEventLog:Lync Server" (EventCode=4410 OR EventCode=41113) | timechart span=1d count by EventCode
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tgdvopab
Path Finder
08-17-2016
02:42 AM
I used the code as an example.
This is my original search:
index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application | eval sla=99.9 | eval not_available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application EventCode=700 OR Eventcode=702 | timechart span=1d count as not_available | return $not_available] | eval available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application EventCode!=700 OR Eventcode!=702 | timechart span=1d count as available | return $available] | eval sla2 = 100 - (not_available / available) | timechart span=1d values(*available)
Do you know another way?
Get Updates on the Splunk Community!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
