Thank you, @rich7177. Ran last suggestion; however, got this:
"Error in 'timechart' command: The specifier 'IsSpecial' is invalid. It must be in form (). For example: max(size )."
What I'm trying to achieve is to compare log files and search for two (or 3) strings "timeline" and "current position" from July 27 from 12:01 AM to July 28 11:59 PM. The, overlay the results in two graphs as follows:
index=_internal sourcetype="a1_bridge_log" OR sourcetype="b1_bridge_log" host="a1" OR host="b1"
earliest=07/27/2017:0:01:0 latest=07/28/2017:23:59:0
| eval IsSpecial=if(match( _raw, "timeline") OR match(_raw, "currrentposition"),"Yes","No")
| timechart IsSpecial
where,
index =_internal is the default Splunk light index I use for both hosts, a1, b1.
in my environment, a1_bridge_log is the sourcetype for corresponding logs in host = a1
On the other hand, b1_bridge_log is the sourcetype for corresponding logs in host b1
"timeline" and "currentposition" are character strings found in lines of such log files. Thank you for your support.
... View more