Splunk Search

charting results of 3 different searches to be in 1 chart


I have a chart to build which i can search for but did not manage to chart. The data comes in like this (shown below) and for how i distinguish these records, I use regex to pick out the fields as it comes into the index (containers).

e.g of how to identify a ATM transaction(txn), i need to key this into the search string.

$ index=BOTW sourcetype= "INCOMING MSG : [0110]" | regex_raw="(\[3\]\s+[(00|5\d|98|96)\d\d\d\d\]\s+\[20\]\s+\[6\])"

Now i am suppose to build a complex chart but it seems insurmountable. The total transactions, successful transactions and specific transactions are to be in 1 chart. and the only way to distinguish them is via regular expression as the input comes to me as coded numbers.

How can i build this chart? or do you think it is not possible?

alt text

P.S I have ever thought of putting them up separately, but e.g total txn as 1 chart, successful txn as 1 and specific txn. but the POS, ECOM and ATM is also an issue. They are identified individually which is not difficult but when it comes to putting them together in a chart, it seem to come to a standstill. I'm at my wits end!

0 Karma


You might have some success by using eval to create "proxy" fields for your original data. I've used this technique in the past similar to this:

| eval field1=if(match(_raw,"ABC"),1,0)
| eval field2=if(match(some_other_field,"XYZ"),1,0)
| chart sum(field1) as ABC_COUNT, sum (field2) as XYZ_in_some_other_field_count

Basically, you would eval a field to a "0" or a "1" for each of your 9 possible values above. Then when you sum() the value of these new fields, you have a count of events that matched each criteria.

0 Karma