Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: timechart and metadata
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have two indizes: dbtrace and dbmsg. The 1st "dbtrace" has trace recs of bags, the 2nd "dbmsg" stores the error msgs with PRIO flag.
A timechart (one line per index) should count the recs from dbtrace and count the recs from dbmsg with PRIO 2 flag.
All bags have an ID (p_id).
My timechart should show a line whit all bags counted only once even if there are more recs for the p_id:
i.E. p_id #3 has 5, p_id #4 has 1, and p_id #5 has 2 recs for an interval.
In dbmsg are 6 records for the same timeinterval.
My result from dbtrace are 5+1+2 records for this timeinterval. I'd like to count unique resulting to the value of 3.
Splunk search:
(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | eval typ=case(index=dbtrace,"Error",index=dbmsg,"Message") | timechart span=10m count by typ
Result is : 8 recs from dbtrace and 6 from dbmsg. I need 3 from dbtrace and 6 from dbmsg.
Can Splunk combine in 1 search unique and non unique queries and display it in one timechart ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | timechart span=10m dc(p_id) as "Error" count(eval(index="dbmsg")) as Message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | timechart span=10m dc(p_id) BY index | rename dbtrace AS Error dbmsg AS Message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
(index=dbtrace status=ERROR) OR (index=dbmsg PRIO=2) | timechart span=10m dc(p_id) as "Error" count(eval(index="dbmsg")) as Message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for woodcock and for somesoni2, answer is OK, it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry have sent with text "metadata" in title ...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
