Splunk Search

How do you plot two series (total vs matching condition) to a timechart?

orinciog
New Member

Hello!

I have an index with events that have a status field. They come in the index in real time. I have a dashboard with a timechart and here I want to plot two series based on the selected input above. This input is a dropdown list consisting of:

  • All the possible values of the status field (extracted with a search)
  • A static value added by me named all and having the value *

In the timechart, I want to have two series, as follows:

  • One for the total count of those events
  • One for the events that match the selected status from the input AND the value is not not found

Until now, I have the following query:

index="my_events" 
| makemv delim="," status
| eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
| timechart
count(_raw) as "All events"
sum(matching) as "Matching events"

This search works for all the values, but not for the all one. If I select all, the "matching" series will always be 0. I tried to use LIKE or a combination between eval and search but I could not get the desired results.

How can I achieve the above described behavior? Where is the mistake in my query or how can I improve it?

Thanks!

Edit:
I also have a panel with a single value to show only the matching events from the previous hour. It looks like this:

earliest=-1h latest=now() index="my_events" 
| makemv delim="," status
| search status!="not found"
| search status="$sourcetype_tok$"
| timechart span=1h count

I want to say that this is working (maybe because * in combination with search works different).

0 Karma

woodcock
Esteemed Legend

Change your all value in the dropdown to .+. and change this line:

 | eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)

To this:

 | eval matching=if(status!="not found" AND match(status, "$status_tok$"), 1, 0)

The problem is that the * character is a wildcard with search but a string literal with eval and where.

richgalloway
SplunkTrust
SplunkTrust

This is the right idea, but match expects a regular expression and "*" is not valid regex. I think this will do it

| eval token=if($status_tok$="*", ".*", $status_tok$) | | eval matching=if(status!="not found" AND match(status, 'token'), 1, 0)

---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

No, see the first part of my sentence about changing to .+; that's where the RegEx is.

0 Karma

felipesewaybric
Contributor

You can try:

 index="my_events" 
 | makemv delim="," status
 | eval matching=if(status!="not found" AND status="$status_tok$", 1, 0)
 | timechart
 count as "All events"
 sum(matching) as "Matching events"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...