Solved: timechart and metadata

hunyady · ‎09-29-2015

Hi,
I have two indizes: dbtrace and dbmsg. The 1st "dbtrace" has trace recs of bags, the 2nd "dbmsg" stores the error msgs with PRIO flag.
A timechart (one line per index) should count the recs from dbtrace and count the recs from dbmsg with PRIO 2 flag.

All bags have an ID (p_id).

My timechart should show a line whit all bags counted only once even if there are more recs for the p_id:
i.E. p_id #3 has 5, p_id #4 has 1, and p_id #5 has 2 recs for an interval.
In dbmsg are 6 records for the same timeinterval.

My result from dbtrace are 5+1+2 records for this timeinterval. I'd like to count unique resulting to the value of 3.
Splunk search:
(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | eval typ=case(index=dbtrace,"Error",index=dbmsg,"Message") | timechart span=10m count by typ

Result is : 8 recs from dbtrace and 6 from dbmsg. I need 3 from dbtrace and 6 from dbmsg.

Can Splunk combine in 1 search unique and non unique queries and display it in one timechart ?

somesoni2 · ‎09-29-2015

Try something like this

(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2)  | timechart span=10m dc(p_id) as "Error" count(eval(index="dbmsg")) as Message

View solution in original post

woodcock · ‎09-29-2015

Like this:

(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | timechart span=10m dc(p_id) BY index | rename dbtrace AS Error dbmsg AS Message

somesoni2 · ‎09-29-2015

Try something like this

(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2)  | timechart span=10m dc(p_id) as "Error" count(eval(index="dbmsg")) as Message

hunyady · ‎09-30-2015

thank you for woodcock and for somesoni2, answer is OK, it works.

hunyady · ‎09-29-2015

sorry have sent with text "metadata" in title ...

timechart and metadata

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)