Splunk Search

sum two fileds count on linechart

Path Finder

I have two fields trigger0 and trigger that occur several times per hour and I would like the sum (number of occurrences) of both over a one-hour timespan. I tried a lot of things from the forum but I always get "no result found".
A few examples of what I've tried:

source="*0307.log*" trigger0=* trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")"  ] | timechart span=1h sum( eval(count(trigger) + count(trigger0)) ) as totaltrigger


source="*0307.log*" trigger0=* trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")"  ] | timechart span=1h count(trigger) count(trigger0)

It's the part after the last pipe that causes problem, I'm using the first part in other graphs.

Tags (3)
0 Karma
1 Solution

Legend

Your search could be

source="*0307.log*" trigger0=* OR trigger=*  
    [ search trigger0=* | head 1 
     | eval earliest=relative_time(lastTime,"-15d")
     | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] 
| eval  triggerMain = trigger+ trigger0
| timechart span=1h count(triggerMain) as triggerMain

If for some reason that doesn't work, then you could also do

source="*0307.log*" trigger0=* OR trigger=*  
    [ search trigger0=* | head 1 
     | eval earliest=relative_time(lastTime,"-15d")
     | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] 
 | timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001
 | eval triggerMain = trigger01+ trigger001
 | fields - trigger01 trigger001

Also, I am unclear why you need all the fancy stuff for setting earliest and latest. You may get the same result by doing this:

source="*0307.log*" trigger0=* OR trigger=*  
| eval  triggerMain = trigger + trigger0
| timechart fixedrange=F span=1h count(triggerMain) as triggerMain

View solution in original post

Legend

Your search could be

source="*0307.log*" trigger0=* OR trigger=*  
    [ search trigger0=* | head 1 
     | eval earliest=relative_time(lastTime,"-15d")
     | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] 
| eval  triggerMain = trigger+ trigger0
| timechart span=1h count(triggerMain) as triggerMain

If for some reason that doesn't work, then you could also do

source="*0307.log*" trigger0=* OR trigger=*  
    [ search trigger0=* | head 1 
     | eval earliest=relative_time(lastTime,"-15d")
     | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] 
 | timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001
 | eval triggerMain = trigger01+ trigger001
 | fields - trigger01 trigger001

Also, I am unclear why you need all the fancy stuff for setting earliest and latest. You may get the same result by doing this:

source="*0307.log*" trigger0=* OR trigger=*  
| eval  triggerMain = trigger + trigger0
| timechart fixedrange=F span=1h count(triggerMain) as triggerMain

View solution in original post

Path Finder

Your second solution works fine. I need the fancy stuff because I only want to see the last 15 days of event and the latest event is not always "now".

0 Karma

SplunkTrust
SplunkTrust

Your first problem may be:

(trigger0=* OR trigger=*)

Without seeing more of what your data looks like I can't comment further on your search, but the "no result found" problem may be taken care of with using an OR between your trigger conditions if you don't have BOTH trigger0 and trigger in every event.

Again, without seeing more of what your data looks like, it is hard to tell what is wrong.

Path Finder

both are extracted fields and there are always present in different events.
an event looks like:

2015-02-22 23:59:35,255  INFO  [0.809.1.31.] .........  Start executing rule with ID 304. Triggered by a MotionDetection at 05:59:35 (Utc).
0 Karma

Path Finder

Ok, I almost got it. This works:

source="*0307.log*" trigger0=* OR trigger=*  [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001| eval triggerMain = trigger01+ trigger001

But all three charts are displayed (trigger01,trigger001, triggerMain) and I would like to chart only triggerMain. I haven't managed so far

0 Karma

SplunkTrust
SplunkTrust

Try:

source="*0307.log*" trigger0=* OR trigger=*  [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)+count(trigger0)) as triggerMain

Path Finder

@Cpetterborg 's solution works fine and looks easier than lguinn

0 Karma