Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a timechart from multiple data sources?

ataunk
Explorer
‎03-02-2017 06:58 PM

I need a time chart from multiple source --

First source search : host=abcdefgh source="Test.log" index=app_ops_prod SessionID="*"
Second Source search : host=abcdefgh source="Test.log" index=app_ops_prod "error.timeout"
Third Source search : host=abcdefgh source="Test.log" index=app_ops_prod "error.badurl"

My SessionID is a field, but other two strings might be present in the raw log. In short, for one request a log line is generated which will always have a SessionID, but few log lines may contain error. I want a timechart that will show number of request (i.e. count of SessionID) and the errors in all the request.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-03-2017 07:18 AM

Try like this

host=abcdefgh source="Test.log" index=app_ops_prod (SessionID="*" OR "error.timeout" OR  "error.badurl" )
| eval TimeoutError=if(searchmatch("error.timeout"),1,0) | eval BadUrlError=if(searchmatch("error.badurl"),1,0) 
| timechart count(SessionID) as NoOfRequests sum(TimeoutError) as TimeoutError sum(BadUrlError) as BadUrlError

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-03-2017 07:18 AM

Try like this

host=abcdefgh source="Test.log" index=app_ops_prod (SessionID="*" OR "error.timeout" OR  "error.badurl" )
| eval TimeoutError=if(searchmatch("error.timeout"),1,0) | eval BadUrlError=if(searchmatch("error.badurl"),1,0) 
| timechart count(SessionID) as NoOfRequests sum(TimeoutError) as TimeoutError sum(BadUrlError) as BadUrlError
Reply
Solved! Jump to solution

ataunk
Explorer
‎03-03-2017 07:33 AM

This is working as expected.

0 Karma
Reply
Solved! Jump to solution

arcdevil
Path Finder
‎03-03-2017 05:18 AM

Plz try that.

index=app_ops_prod host=abcdefgh source="Test.log" SessionID="*" | timechart span=1m count(SessionID) | appendcols [search index=app_ops_prod host=abcdefgh source="Test.log" ("error.badurl" OR "error.timeout") | timechart span=1m count]

Also on the chart, you can add the chart overlay to better illustrate your data.

0 Karma
Reply
Solved! Jump to solution

ataunk
Explorer
‎03-03-2017 07:34 AM

Not sure about this. It is not giving expected results. But, the one answer posted below seems to work fine

0 Karma
Reply
Solved! Jump to solution

arcdevil
Path Finder
‎03-03-2017 07:55 AM

No problem 🙂 I'm glad to hear that your problem has been solved.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...