- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combining two search and charting successfull even...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello everyone,
Seeking your help. I have logs where Transaction_ID is unique to transaction. Depending on each transaction there can be multiple action. But if there is an error there would be a log generated with Action=Error.
I have created two search
One for successfull creation of transaction:
`base_search` | search action=Error | timechart distinct_count(Transaction_ID) as Successfull
And for errors.
`base_search` | search action!=Error | timechart distinct_count(Transaction_ID) as Error.
I would like to simply display these two in one chart to see number of successfull events vs failed. What would be the best method to combine these two ?
Appreciate any guidance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
It is not clear what time value you want to chart so I have assumed the last time for the transaction, I have also assumed you want daily counts. Gather the actions per transaction, and set status based on whether "error" is one of the status for the transaction.
| stats values(actions) as actions last(_time) as _time by transactionid
| eval status=if(match(actions,"error"),"Error","Successful")
| timechart span=1d dc(transactionid) by status- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
It is not clear what time value you want to chart so I have assumed the last time for the transaction, I have also assumed you want daily counts. Gather the actions per transaction, and set status based on whether "error" is one of the status for the transaction.
| stats values(actions) as actions last(_time) as _time by transactionid
| eval status=if(match(actions,"error"),"Error","Successful")
| timechart span=1d dc(transactionid) by status
Register for FREE Today!
We've made .conf21 totally virtual
and totally FREE! Our completely
online experience will run from 10/19
through 10/20 with some additional
events, too!
Learn More or Register Now >
