Splunk Search

combined timecharts

adomila
Explorer

Hi,
I'm trying to combine 2 timecharts into just single graph

index=xxx (MTYP=0 RESL=0) OR (MTYP=1 RESL=0) OR (MTYP=4 RESL=0) | timechart count(_raw) as successful by host

index=xxx (MTYP=0 RESL=1) OR (MTYP=0 RESL=2) OR (MTYP=0 RESL=3) OR (MTYP=1 RESL=1) OR (MTYP=1 RESL=2) OR (MTYP=1 RESL=3) OR (MTYP=4 RESL=1) OR (MTYP=4 RESL=2) OR (MTYP=4 RESL=3) | timechart count(_raw) as failed by host

it tried this but got an error

index=xxx (MTYP=0 RESL=0) OR (MTYP=1 RESL=0) OR (MTYP=4 RESL=0) | stats count(_raw) as successful count(eval((MTYP=0 RESL=1) OR (MTYP=0 RESL=2) OR (MTYP=0 RESL=3) OR (MTYP=1 RESL=1) OR (MTYP=1 RESL=2) OR (MTYP=1 RESL=3) OR (MTYP=4 RESL=1) OR (MTYP=4 RESL=2) OR (MTYP=4 RESL=3))) as failed by _time

Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

You could try a different approach;

index=xxx sourcetype=yyy MTYP=* RESL=* 
| eval outcome = case(((MTYP==0 AND RESL==0) OR (MTYP==1 AND RESL==0) OR (MTYP==4 AND RESL==0)), "success", ((MTYP==0 AND RESL==1) OR (MTYP==0 AND RESL==2) OR (MTYP==0 AND RESL==3) OR (MTYP==1 AND RESL==1) OR (MTYP==1 AND RESL==2) OR (MTYP==1 AND RESL==3) OR (MTYP==4 AND RESL==1) OR (MTYP==4 AND RESL==2) OR (MTYP==4 AND RESL==3)), "failed", 1==1, "unknown") 
| timechart span=1h count by outcome

Hope this helps,

K

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

You could try a different approach;

index=xxx sourcetype=yyy MTYP=* RESL=* 
| eval outcome = case(((MTYP==0 AND RESL==0) OR (MTYP==1 AND RESL==0) OR (MTYP==4 AND RESL==0)), "success", ((MTYP==0 AND RESL==1) OR (MTYP==0 AND RESL==2) OR (MTYP==0 AND RESL==3) OR (MTYP==1 AND RESL==1) OR (MTYP==1 AND RESL==2) OR (MTYP==1 AND RESL==3) OR (MTYP==4 AND RESL==1) OR (MTYP==4 AND RESL==2) OR (MTYP==4 AND RESL==3)), "failed", 1==1, "unknown") 
| timechart span=1h count by outcome

Hope this helps,

K

0 Karma

kristian_kolb
Ultra Champion

good to hear, I didn't get to test it, so it was more off the top of my head.

0 Karma

adomila
Explorer

Hi Kristian,
It didn't work the way I fully expect it to be but I got the idea and so I did some minor tweeks to suit my needs. Finally got it working now. Thanks a bunch.

0 Karma
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...