- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you plot two series (total vs matching cond...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you plot two series (total vs matching condition) to a timechart?
Hello!
I have an index with events that have a status field. They come in the index in real time. I have a dashboard with a timechart and here I want to plot two series based on the selected input above. This input is a dropdown list consisting of:
- All the possible values of the
statusfield (extracted with a search) - A static value added by me named
alland having the value*
In the timechart, I want to have two series, as follows:
- One for the total count of those events
- One for the events that match the selected status from the input
ANDthe value is notnot found
Until now, I have the following query:
index="my_events"
| makemv delim="," status
| eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
| timechart
count(_raw) as "All events"
sum(matching) as "Matching events"
This search works for all the values, but not for the all one. If I select all, the "matching" series will always be 0. I tried to use LIKE or a combination between eval and search but I could not get the desired results.
How can I achieve the above described behavior? Where is the mistake in my query or how can I improve it?
Thanks!
Edit:
I also have a panel with a single value to show only the matching events from the previous hour. It looks like this:
earliest=-1h latest=now() index="my_events"
| makemv delim="," status
| search status!="not found"
| search status="$sourcetype_tok$"
| timechart span=1h count
I want to say that this is working (maybe because * in combination with search works different).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change your all value in the dropdown to .+. and change this line:
| eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
To this:
| eval matching=if(status!="not found" AND match(status, "$status_tok$"), 1, 0)
The problem is that the * character is a wildcard with search but a string literal with eval and where.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the right idea, but match expects a regular expression and "*" is not valid regex. I think this will do it
| eval token=if($status_tok$="*", ".*", $status_tok$) | | eval matching=if(status!="not found" AND match(status, 'token'), 1, 0)
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, see the first part of my sentence about changing to .+; that's where the RegEx is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try:
index="my_events"
| makemv delim="," status
| eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
| timechart
count as "All events"
sum(matching) as "Matching events"
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
