Solved: timechart and metadata

hunyady · ‎09-29-2015

Hi,
I have two indizes: dbtrace and dbmsg. The 1st "dbtrace" has trace recs of bags, the 2nd "dbmsg" stores the error msgs with PRIO flag.
A timechart (one line per index) should count the recs from dbtrace and count the recs from dbmsg with PRIO 2 flag.

All bags have an ID (p_id).

My timechart should show a line whit all bags counted only once even if there are more recs for the p_id:
i.E. p_id #3 has 5, p_id #4 has 1, and p_id #5 has 2 recs for an interval.
In dbmsg are 6 records for the same timeinterval.

My result from dbtrace are 5+1+2 records for this timeinterval. I'd like to count unique resulting to the value of 3.
Splunk search:
(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | eval typ=case(index=dbtrace,"Error",index=dbmsg,"Message") | timechart span=10m count by typ

Result is : 8 recs from dbtrace and 6 from dbmsg. I need 3 from dbtrace and 6 from dbmsg.

Can Splunk combine in 1 search unique and non unique queries and display it in one timechart ?

somesoni2 · ‎09-29-2015

Try something like this

(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2)  | timechart span=10m dc(p_id) as "Error" count(eval(index="dbmsg")) as Message

View solution in original post

woodcock · ‎09-29-2015

Like this:

(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | timechart span=10m dc(p_id) BY index | rename dbtrace AS Error dbmsg AS Message

somesoni2 · ‎09-29-2015

Try something like this

(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2)  | timechart span=10m dc(p_id) as "Error" count(eval(index="dbmsg")) as Message

hunyady · ‎09-30-2015

thank you for woodcock and for somesoni2, answer is OK, it works.

hunyady · ‎09-29-2015

sorry have sent with text "metadata" in title ...

timechart and metadata

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud