Splunk is too powerful. But i wish the search criteria language would have been more generic something like sql 🙂 I have 3 buckets for error, warning and info for each source type. Need help from experts 1) to add condition in error bucket like this. level="ERROR" or log contains any of these ("Failed","Exception","Fatal") 2) also in dashboard line chart if i clicked on the error line, it should actually take me those error logs. Is it possible ? <dashboard>
<label>application Name</label>
<description>Spark application logs</description>
<row>
<panel>
<title>logs</title>
<chart>
<title>Streaming Error Count</title>
<search>
<query>index=myindex sourcetype=mysourceType1 |
timechart count as total_logs count(eval(level="INFO")) as total_info count(eval(level="WARN")) as total_warn count(eval(level="ERROR")) as total_error span=1h</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
</chart>
</panel>
</row>
</dashboard>
... View more