Splunk Search

When I use timechart, I get a visual. When I use chart, no results. Any idea why?

zeroCalm
New Member

Hello,

I am using the following search:

index="ips_snaplogic""postsales" lvl="ERROR"| spath| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| timechart count BY msg

THis is the JSON I am trying to drill into, and grab the error message that I am trying to divide the chart by.

//XXX/projects/Sales_PostSales_processPostSaleOrder_VIP_CCT:{  
   "Service":"Enterprise Sales",
   "Date":"09/19/2017 08:44:41.466",
   "Environment":"XXX",
   "Debug":"Error",
   "Source":"PostSalesIntegration",
   "Description":"Error::processPostSaleOrder_VIP_CCT. Error occurred while trying to process the message. Failed to execute HTTP request",
   "Message_Unique_Id":null,
   "Message_qualifier":null,
   "JMSMessageID":null,
   "Detail":{  
      "error":{  
         "message":"Failed to execute HTTP request",
         "reason":"Read timed out",
         "resolution":"Please check the Snap properties."
      }

When I use timechart, I get a visual. When I use chart, no results. Any idea why?

Thanks

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What's your query with chart command? What is the expected visualization with chart command?

zeroCalm
New Member

I have updated my original question.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you also post the query that you use with chart command? Do you select pie visualization for both?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi zeroCalm,
what options do you use in chart command ?
Bye.
Giuseppe

0 Karma

zeroCalm
New Member

Options? I don't believe I understand the question. The original question shows my entire search string.

0 Karma

gcusello
SplunkTrust
SplunkTrust

did you tried something like this using chart instead timechart?

index="ips_snaplogic""postsales" lvl="ERROR"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| bin _time span=1h 
| chart count over _time BY msg

Bye.
Giuseppe

0 Karma

zeroCalm
New Member

Now I am getting a chart, but the error message isnt showing.

Here is a screenshot.

https://imgur.com/a/NZTJC

Thanks again.

0 Karma

gcusello
SplunkTrust
SplunkTrust

revie the message field extraction
Bye.
Giuseppe

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

This | spath output=msg path=Detail.error.message.message should be replaced with this | spath output=msg path=Detail.error.message

0 Karma

gcusello
SplunkTrust
SplunkTrust

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Try this and see what happens...

index="ips_snaplogic""postsales" lvl="ERROR"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message
| bin _time span=1h 
| chart count BY msg _time

Updated to eliminate extra ".message"

zeroCalm
New Member

Thanks for the response, I am having the same results though.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@zerocalm - try again. There was an extra .message in the code, probably inserted somehow when you changed timechart to chart.

|makeresults 
| eval _raw="//XXX/projects/Sales_PostSales_processPostSaleOrder_VIP_CCT:{  
    \"Service\":\"Enterprise Sales\",
    \"Date\":\"09/19/2017 08:44:41.466\",
    \"Environment\":\"XXX\",
    \"Debug\":\"Error\",
    \"Source\":\"PostSalesIntegration\",
    \"Description\":\"Error::processPostSaleOrder_VIP_CCT. Error occurred while trying to process the message. Failed to execute HTTP request\",
    \"Message_Unique_Id\":null,
    \"Message_qualifier\":null,
    \"JMSMessageID\":null,
    \"Detail\":{  
       \"error\":{  
          \"message\":\"Failed to execute HTTP request\",
          \"reason\":\"Read timed out\",
          \"resolution\":\"Please check the Snap properties.\"
       }"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message
0 Karma

zeroCalm
New Member

Thanks, I removed the extra .message, and I am still getting the same results.

Screenshot:

https://imgur.com/PQA6itN

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...