Splunk Search

timechart and metadata

hunyady
Explorer

Hi,
I have two indizes: dbtrace and dbmsg. The 1st "dbtrace" has trace recs of bags, the 2nd "dbmsg" stores the error msgs with PRIO flag.
A timechart (one line per index) should count the recs from dbtrace and count the recs from dbmsg with PRIO 2 flag.

All bags have an ID (p_id).

My timechart should show a line whit all bags counted only once even if there are more recs for the p_id:
i.E. p_id #3 has 5, p_id #4 has 1, and p_id #5 has 2 recs for an interval.
In dbmsg are 6 records for the same timeinterval.

My result from dbtrace are 5+1+2 records for this timeinterval. I'd like to count unique resulting to the value of 3.
Splunk search:
(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | eval typ=case(index=dbtrace,"Error",index=dbmsg,"Message") | timechart span=10m count by typ

Result is : 8 recs from dbtrace and 6 from dbmsg. I need 3 from dbtrace and 6 from dbmsg.

Can Splunk combine in 1 search unique and non unique queries and display it in one timechart ?

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2)  | timechart span=10m dc(p_id) as "Error" count(eval(index="dbmsg")) as Message

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | timechart span=10m dc(p_id) BY index | rename dbtrace AS Error dbmsg AS Message
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2)  | timechart span=10m dc(p_id) as "Error" count(eval(index="dbmsg")) as Message
0 Karma

hunyady
Explorer

thank you for woodcock and for somesoni2, answer is OK, it works.

0 Karma

hunyady
Explorer

sorry have sent with text "metadata" in title ...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...