Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: timechart overlay multiple strings
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timechart overlay multiple strings
I want to search 2 strings in log file, like "A string" & "B String", A string should be treated as successful and B as Failure. Next I want to overlay both as line timechart, where successful events should go above x-axis and Failure events go below x-axis or they are showed as different colors.How this can be done?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I do a timechart with 2 strings and also give a Alias names to the string . How can span the reults for 1 day within same query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should post this as a new question, or a comment, instead of an answer to the top question.
But to answer your answer: You can create an alias (called a search macro in Splunk) for a search string in the GUI under Settings - Advanced Search - Search Macros. To use the macro once it's been created, you have to surround your macro with backticks, like this: myawesomemacro()
As for span, you can use span=1d. Check the timechart search command help and you will find thespan option along with some example usage.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I knew that I had to post as new question and I even tried but continously gave me form error. That the reason I posted my question as an answer.
Anyways Thank you so much for the reply. it worked.
Sorry for inconvenience caused.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Iguinn,
It almost worked but how do I give alias to search string? My timechart shows Success and failure which I don't wanna show instead I want to give alias to them and also span for a day,Hi Thank you for your answer it almost worked but how do I give alias for search string and search for span of a 1day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are many ways, but this might be easiest.
source=logfilename "A string"
| eval series = "Success"
| append [ search source=logfilename "B string"
| eval series = "Failure" ]
| timechart count by series
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
