@richgalloway Please find the query below.  index=XXX sourcetype=YYY source=*deploy_status.list host=ABC OR host=DEF | stats count by Deploy_Status   FYI, we have given field extractions for the comma delimiters Output  for this log is as below ABC,project/env,7654321,jenkins-111111.mnopqrs.int-554@abc,Deployment_Failed ABC,project/env,7654321,jenkins-121211.qwertyui.int-560,Deployment_Successful ... View more

@richgalloway I want to take input data from a log file instead of giving input in my query. Kindly help on that. ... View more

@richgalloway This worked, thanks a bunch for ur help! ... View more

@richgalloway You're great..this worked, thank you..but by any chance i can get status in 2 different columns ? that's my ultimate aim.. ... View more

@richgalloway Indeed i used 'by' command but forgot to mention it..It didn't give me the expected output even after using.. Current scenario is, In Status1.log Server,Env,Req,Package,INC_Num,Stage_Status - Extracted the event and named the fields like this.. host1,PROD,1666680,mobile1,INC,Staging_Successful host1,PROD,1666680,mobile2,INC,Staging_Successful host1,PROD,1666680,mobile3,INC,Staging_Successful Status2.log Server,Env,Req,Package,Deploy_Status - Extracted the event and named the fields like this.. host1,PROD,1666680,mobile1,Deployment_Successful host1,PROD,1666680,mobile2,Deployment_Successful host1,PROD,1666680,mobile3,Deployment_Successful Query used: (sourcetype=abc source=Status1.log) OR (sourcetype=abc source=Status2.log) | stats values(*) by Server,Env,Req,Package,Stage_Status,Deploy_Status There are 244 events present in each log. When i run this query, i got output with only 3 rows...But i need all 244 rows..Below o/p i got with improper data aligned in different columns.. Server Env Req Package Stage_Status Deploy_Status host1 PROD 1666680 mobile1 PROD Deployment_Successful host host1 PROD 1666680 mobile2 PROD Deployment_Successful host host1 PROD NIL mobile3 Staging_Successful INC in addition to this, am getting extra columns for all the unselected fields like values(commands), values(host), values(linecount) etc..I don't need this.. Please suggest what's the problem in this..else suggest the other idea.. ... View more

sourcetype=sourcetype1 source=.log | rex field=_raw "(?\w+-\d+)\,(?\w+\/\w+)\,(?\d+)\,(?\w+)\,(?\w+.)" | stats count by Status Output am getting as NONE in pie chart view. please note: If i have only one kind of status example as "deployment_successful" in my log, I can seethe count, but if there are different statuses, I cannot create a pie chart ... View more

@richgalloway in Status1.log, i just noticed that, i have one extra field before 'Staging_Successful'. So currently i have 6 fields in Status1.log and 5 fields in Status2.log..The query i used is, (sourcetype=abc source=Status1.log) OR (sourcetype=abc source=Status2.log) | stats values(*) field1, field2, field3, field4, field5 Since there is a difference in fields, am getting results in unexpected format. and how to remove one unwanted field from Status1.log to achieve the desired result ? ... View more

@richgalloway this is not working as expected, am getting data in different way altogether. Please suggest another way to do this. ... View more

Current query: index= " " sorucetype= " " Error Result: we are getting all the error patterns, but not in tabular format. Expected output: Hostname ear.name type of exception xyz xyz.ear DMGR exception abc abc.ear SOAP exception ... View more

@ololdach Multi-series timechart is my requirement... ... View more

Hi @ololdach , thanks for the suggestion. But we want the same in multiseries, Like host wise we need this.. Filesystem(in chart ) vs time(x-axis) vs values(y-axis) host-1 chart: Filesystem(in chart ) vs time(x-axis) vs values(y-axis) host -2 chart: Filesystem(in chart ) vs time(x-axis) vs values(y-axis) both charts should be in single dashboard.. ... View more

Hi @richgalloway 'Mon, represents the file system(eg. /apps, /logs, /opt). We want to monitor disk usage of selective file systems from the data we have. Data is already on boarded under Splunk in below format. Filesystem,Size,Used,Avail,Use%,Mounted,on /dev/mapper/rootvg-lv_opt,30G,20G,8.4G,71%,/opt /dev/mapper/rootvg-lv_tmp,9.8G,759M,8.6G,8%,/tmp /dev/mapper/rootvg-lv_var,9.8G,6.7G,2.6G,73%,/var /dev/mapper/appsvg-lv_apps,89G,60G,25G,72%,/apps By using the query mentioned in description, we are able to create chart dashboard. But we need timechart dashboard which shows variation in each file system host wise. Let me know if you need any further details. ... View more