About kryzew

kryzew · ‎12-10-2020

First solution work for me fine, thank you both for your help. BR

kryzew · ‎12-08-2020

Hello, I'm try go get "0" in my result when there is no events. I get only "no result found". index=*mysearch | timechart count as count | accum count as count Any idea?

kryzew · ‎11-15-2020

Hello, I tired to sum two timecharts in another one, using tokens. It's easy to sum counted value using stats, but I have problem with timecharts, is there any way to do this? <form> <label>Single Value Token</label> <fieldset submitButton="false"> <input type="time" token="tokTime" searchWhenChanged="true"> <label></label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <single> <title>Panel 1 (Error)</title> <search> <query>index=_internal sourcetype=splunkd log_level="Error" | timechart count as Error</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <done> <condition match="$job.resultCount$==0"> <set token="tokError">0</set> </condition> <condition> <set token="tokError">$result.Error$</set> </condition> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <single> <title>Panel 2 (Warn)</title> <search> <done> <condition match="$job.resultCount$==0"> <set token="tokWarn">0</set> </condition> <condition> <set token="tokWarn">$result.Warn$</set> </condition> </done> <query>index=_internal sourcetype=splunkd log_level="WARN" | timechart count as Warn</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <single> <title>Panel 3 (Sum)</title> <search> <query>| makeresults | eval ratio=$tokError$+$tokWarn$ |table ratio | timechart count as ratio</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0.000</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> </form> Code give me value 1.000 in Panel 3 (Sum) Or there is another way to save trends?

kryzew · ‎12-28-2019

Hi, @kamlesh_vaghela I tired on this way but its don't work. When I used "Update" or "Microsoft" I can't find field named "Microsoft Update" im metasearch. I use "*Update" don't work too. @gcusello I can't explain, but I can find more than splunk doc say about metasearch. I compare normal search and metasearch, and I have same results, mean time when something hapen. But, I can't show on table more than fields like index, host, source, sourcetype like splunk doc say. BR,

kryzew · ‎12-25-2019

Hi, I' cant end my search using metasearch when I need to find in index something with space betwen like "Microsoft Update". There is no problem to find there one word aplikaction like below: |metasearch index=my_index ("onewordaplikaction") When I try: |metasearch index=my_index ("twoword aplikaction") I get error: Streamed search execute failed because: Error in 'metalitsearch' command: Invalid metasearch. Rawdata is required for this search.. Is there any way to find by metasearch something like "Microsoft Update" or "Update"? Or is just metasearch limit? BR,

Posts	5
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎12-19-2019

Online Status	Offline
Date Last Visited	‎12-10-2020 11:04 AM

Timechart: How to show "0"when no results found

How to sum two timecharts in another one.

Metasearch and Rawdata is required...

Re: Timechart: How to show "0"when no results foun...

Timechart: How to show "0"when no results found

How to sum two timecharts in another one.

Re: Metasearch and Rawdata is required...

Metasearch and Rawdata is required...