Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart overlay multiple strings

sunil_sharma
New Member
‎09-20-2013 11:43 AM

I want to search 2 strings in log file, like "A string" & "B String", A string should be treated as successful and B as Failure. Next I want to overlay both as line timechart, where successful events should go above x-axis and Failure events go below x-axis or they are showed as different colors.How this can be done?

Tags (2)
0 Karma
Reply

SaiSirisha
New Member
‎03-06-2015 01:04 AM

How can I do a timechart with 2 strings and also give a Alias names to the string . How can span the reults for 1 day within same query?

0 Karma
Reply

laserval
Communicator
‎03-06-2015 04:56 AM

You should post this as a new question, or a comment, instead of an answer to the top question.

But to answer your answer: You can create an alias (called a search macro in Splunk) for a search string in the GUI under Settings - Advanced Search - Search Macros. To use the macro once it's been created, you have to surround your macro with backticks, like this: myawesomemacro(). The parenthesis are best to include, since there are cases where they are required even if you have no arguments.

As for span, you can use span=1d. Check the timechart search command help and you will find thespan option along with some example usage.

0 Karma
Reply

SaiSirisha
New Member
‎03-09-2015 12:40 AM

Hi,
I knew that I had to post as new question and I even tried but continously gave me form error. That the reason I posted my question as an answer.

Anyways Thank you so much for the reply. it worked.
Sorry for inconvenience caused.

0 Karma
Reply

SaiSirisha
New Member
‎03-06-2015 12:44 AM

Thank you Iguinn,
It almost worked but how do I give alias to search string? My timechart shows Success and failure which I don't wanna show instead I want to give alias to them and also span for a day,Hi Thank you for your answer it almost worked but how do I give alias for search string and search for span of a 1day

0 Karma
Reply

lguinn2
Legend
‎09-20-2013 03:25 PM

There are many ways, but this might be easiest.

source=logfilename "A string"
| eval series = "Success"
| append [ search source=logfilename "B string"
     | eval series = "Failure" ]
| timechart count by series
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...