Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: timechart overlay multiple strings
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timechart overlay multiple strings
sunil_sharma
New Member
09-20-2013
11:43 AM
I want to search 2 strings in log file, like "A string" & "B String", A string should be treated as successful and B as Failure. Next I want to overlay both as line timechart, where successful events should go above x-axis and Failure events go below x-axis or they are showed as different colors.How this can be done?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SaiSirisha
New Member
03-06-2015
01:04 AM
How can I do a timechart with 2 strings and also give a Alias names to the string . How can span the reults for 1 day within same query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
laserval
Communicator
03-06-2015
04:56 AM
You should post this as a new question, or a comment, instead of an answer to the top question.
But to answer your answer: You can create an alias (called a search macro in Splunk) for a search string in the GUI under Settings - Advanced Search - Search Macros. To use the macro once it's been created, you have to surround your macro with backticks, like this: myawesomemacro()
As for span, you can use span=1d. Check the timechart search command help and you will find thespan option along with some example usage.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SaiSirisha
New Member
03-09-2015
12:40 AM
Hi,
I knew that I had to post as new question and I even tried but continously gave me form error. That the reason I posted my question as an answer.
Anyways Thank you so much for the reply. it worked.
Sorry for inconvenience caused.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SaiSirisha
New Member
03-06-2015
12:44 AM
Thank you Iguinn,
It almost worked but how do I give alias to search string? My timechart shows Success and failure which I don't wanna show instead I want to give alias to them and also span for a day,Hi Thank you for your answer it almost worked but how do I give alias for search string and search for span of a 1day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
09-20-2013
03:25 PM
There are many ways, but this might be easiest.
source=logfilename "A string"
| eval series = "Success"
| append [ search source=logfilename "B string"
| eval series = "Failure" ]
| timechart count by series
Get Updates on the Splunk Community!
Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust
Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination
Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar
Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
