Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

timechart 2 different fields in one search

sbattista09
Contributor
‎01-30-2015 05:06 PM

I seem to be having issues with time charting, i want to get a trend over time for more then one field. I have tried a few different ways but can get my head around it. I would like to build this off of the example below.

Example "This is in a stacked Column view" -
index=index1 |eval RISK=case(RISK==4,"High",RISK==5,"Severe") |chart count by SUBCATEGORY,RISK useother=f usenull=f

let me know if you need anymore information, i know this is a pretty general question.

thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fdi01
Motivator
‎02-02-2015 06:10 AM

use simplily timechart command. is this show you dynamic chart of this two host on times..

index=index1 |eval RISK=case(RISK==4,"High",RISK==5,"Severe") |timechart count by RISK, SUBCATEGORY useother=f usenull=f
or
index=index1 |timechart count(eval RISK=4) as "High" count(eval RISK=5) as "Severe" by SUBCATEGORY useother=f usenull=f

View solution in original post

Reply
Solved! Jump to solution

sbattista09
Contributor
‎02-02-2015 05:54 PM

still getting odd results-

|timechart count(eval RISK=4) as "High" count(eval RISK=5) as "Severe" by SUBCATEGORY useother=f usenull=f gave me a chart however it did not count anything, all the results were 0.

|eval RISK=case(RISK==4,"High",RISK==5,"Severe") |timechart count by RISK, SUBCATEGORY useother=f usenull=f gave me "Error in 'timechart' command: The argument 'SUBCATEGORY' is invalid."

Thanks for the help!

0 Karma
Reply
Solved! Jump to solution
Solution

fdi01
Motivator
‎02-02-2015 06:10 AM

use simplily timechart command. is this show you dynamic chart of this two host on times..

index=index1 |eval RISK=case(RISK==4,"High",RISK==5,"Severe") |timechart count by RISK, SUBCATEGORY useother=f usenull=f
or
index=index1 |timechart count(eval RISK=4) as "High" count(eval RISK=5) as "Severe" by SUBCATEGORY useother=f usenull=f

Reply
Solved! Jump to solution

sbattista09
Contributor
‎02-02-2015 05:12 AM

thanks,

however i wanted to turn this into a time chart to see a trend over time. Do you think this would be possible ?

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎01-31-2015 09:54 AM 
index=index1 
|chart count(eval RISK=4) as "High" count(eval RISK=5) as "Severe" by SUBCATEGORY useother=f usenull=f
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...