Solved: Combining two search and charting successfull even...

kermit_maness · ‎05-23-2021

Hello everyone,

Seeking your help. I have logs where Transaction_ID is unique to transaction. Depending on each transaction there can be multiple action. But if there is an error there would be a log generated with Action=Error.

I have created two search

One for successfull creation of transaction:

`base_search` | search action=Error | timechart distinct_count(Transaction_ID) as Successfull

And for errors.

`base_search` | search action!=Error | timechart distinct_count(Transaction_ID) as Error.

I would like to simply display these two in one chart to see number of successfull events vs failed. What would be the best method to combine these two ?

Appreciate any guidance.

ITWhisperer · ‎05-23-2021

It is not clear what time value you want to chart so I have assumed the last time for the transaction, I have also assumed you want daily counts. Gather the actions per transaction, and set status based on whether "error" is one of the status for the transaction.

| stats values(actions) as actions last(_time) as _time by transactionid
| eval status=if(match(actions,"error"),"Error","Successful")
| timechart span=1d dc(transactionid) by status

View solution in original post

ITWhisperer · ‎05-23-2021

It is not clear what time value you want to chart so I have assumed the last time for the transaction, I have also assumed you want daily counts. Gather the actions per transaction, and set status based on whether "error" is one of the status for the transaction.

| stats values(actions) as actions last(_time) as _time by transactionid
| eval status=if(match(actions,"error"),"Error","Successful")
| timechart span=1d dc(transactionid) by status

View solution in original post

Combining two search and charting successfull event and errors in one chart.

chart

subsearch

timechart

transaction

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>