Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When I use timechart, I get a visual. When I use chart, no results. Any idea why?

zeroCalm
New Member
‎09-19-2017 07:33 AM

Hello,

I am using the following search:

index="ips_snaplogic""postsales" lvl="ERROR"| spath| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| timechart count BY msg

THis is the JSON I am trying to drill into, and grab the error message that I am trying to divide the chart by.

//XXX/projects/Sales_PostSales_processPostSaleOrder_VIP_CCT:{  
   "Service":"Enterprise Sales",
   "Date":"09/19/2017 08:44:41.466",
   "Environment":"XXX",
   "Debug":"Error",
   "Source":"PostSalesIntegration",
   "Description":"Error::processPostSaleOrder_VIP_CCT. Error occurred while trying to process the message. Failed to execute HTTP request",
   "Message_Unique_Id":null,
   "Message_qualifier":null,
   "JMSMessageID":null,
   "Detail":{  
      "error":{  
         "message":"Failed to execute HTTP request",
         "reason":"Read timed out",
         "resolution":"Please check the Snap properties."
      }

When I use timechart, I get a visual. When I use chart, no results. Any idea why?

Thanks

0 Karma
Reply

somesoni2
Revered Legend
‎09-19-2017 08:07 AM

What's your query with chart command? What is the expected visualization with chart command?

Reply

zeroCalm
New Member
‎09-19-2017 08:55 AM

I have updated my original question.

0 Karma
Reply

somesoni2
Revered Legend
‎09-19-2017 09:32 AM

Could you also post the query that you use with chart command? Do you select pie visualization for both?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2017 07:36 AM

Hi zeroCalm,
what options do you use in chart command ?
Bye.
Giuseppe

0 Karma
Reply

zeroCalm
New Member
‎09-19-2017 07:43 AM

Options? I don't believe I understand the question. The original question shows my entire search string.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2017 07:47 AM

did you tried something like this using chart instead timechart?

index="ips_snaplogic""postsales" lvl="ERROR"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| bin _time span=1h 
| chart count over _time BY msg

Bye.
Giuseppe

0 Karma
Reply

zeroCalm
New Member
‎09-19-2017 08:16 AM

Now I am getting a chart, but the error message isnt showing.

Here is a screenshot.

https://imgur.com/a/NZTJC

Thanks again.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2017 08:18 AM

revie the message field extraction
Bye.
Giuseppe

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-19-2017 09:55 AM

This | spath output=msg path=Detail.error.message.message should be replaced with this | spath output=msg path=Detail.error.message

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-20-2017 04:12 AM

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

0 Karma
Reply

DalJeanis
Legend
‎09-19-2017 07:36 AM

Try this and see what happens...

index="ips_snaplogic""postsales" lvl="ERROR"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message
| bin _time span=1h 
| chart count BY msg _time

Updated to eliminate extra ".message"

Reply

zeroCalm
New Member
‎09-19-2017 07:42 AM

Thanks for the response, I am having the same results though.

0 Karma
Reply

DalJeanis
Legend
‎09-19-2017 09:07 AM

@zerocalm - try again. There was an extra .message in the code, probably inserted somehow when you changed timechart to chart.

|makeresults 
| eval _raw="//XXX/projects/Sales_PostSales_processPostSaleOrder_VIP_CCT:{  
    \"Service\":\"Enterprise Sales\",
    \"Date\":\"09/19/2017 08:44:41.466\",
    \"Environment\":\"XXX\",
    \"Debug\":\"Error\",
    \"Source\":\"PostSalesIntegration\",
    \"Description\":\"Error::processPostSaleOrder_VIP_CCT. Error occurred while trying to process the message. Failed to execute HTTP request\",
    \"Message_Unique_Id\":null,
    \"Message_qualifier\":null,
    \"JMSMessageID\":null,
    \"Detail\":{  
       \"error\":{  
          \"message\":\"Failed to execute HTTP request\",
          \"reason\":\"Read timed out\",
          \"resolution\":\"Please check the Snap properties.\"
       }"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message
0 Karma
Reply

zeroCalm
New Member
‎09-19-2017 09:21 AM

Thanks, I removed the extra .message, and I am still getting the same results.

Screenshot:

https://imgur.com/PQA6itN

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...