Solved: timechart for post for multiple web sites

riqbal47010 · ‎11-07-2019

I have multiple web portals.

portal= www.xyz.com, www.abc.com
post_method = get | post

Now I want a timechart like values(post_method) by portal
then I want to use trellis option like for each portal there is seperate graph with number of get and post requests.

woodcock · ‎11-07-2019

Like this:

index="YouShouldAlwaysSpecifyAnIdex" AND sourcetype="AndSourcetypeToo" AND portal IN("www.xyz.com", "www.abc.com")
| timechart count(eval(post_method=="get")) AS Gets count(eval(post_method=="post")) AS Posts BY portal

Then the trellis function be functional and you can just click on which split you like ( portal or post_method )

View solution in original post

woodcock · ‎11-07-2019

Like this:

index="YouShouldAlwaysSpecifyAnIdex" AND sourcetype="AndSourcetypeToo" AND portal IN("www.xyz.com", "www.abc.com")
| timechart count(eval(post_method=="get")) AS Gets count(eval(post_method=="post")) AS Posts BY portal

Then the trellis function be functional and you can just click on which split you like ( portal or post_method )

riqbal47010 · ‎11-11-2019

thanks

it is working now as expected.

Sukisen1981 · ‎11-07-2019

you cant timechart strings, what you need is timechart acount of get or post..something like |timechart count by post_method. You of course can not have 2 fields in the by clause.suggest using stats instead something like
|bin span=1h _time|stats count by post_method,portal

timechart for post for multiple web sites

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation