HI ,
I am new to using Splunk Enterprise and not so familiar with the search strings and other stuff 🙂
here is my requirement :
search the logs for errors/exceptions/timeout/etc... and display it as a stacked bar view with color code
example: error - Red exception - green etc...
Y axis should have the count and X - axis should have source type
the resulting bar representation should show error/exception etc .. in stacked form with different colors, once we click on colors it should take us to the corresponding logs with the specific error/exception etc ...
Here is the search string :
index=** host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | TOP sourcetype
please suggest as this is something important for my ongoing project
Try this
index=** host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | chart count over host by err usenull=f
Try this
index=** host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | chart count over host by err usenull=f
Thanks Sundaresh,
This is getting me results but they are partial only
i can see a stacked bar with two colors, one of which is errors/exceptions (Bluish color) and the other is an orange/yellowish color which says null and clicking on it leads no where
Y axis should show the count and the stacked bar should have errors/exceptions/timeout etc... stacked with different colors
Unable to attach an image which represents this idea , which would have given a clear picture
Please suggest the changes to complete this 🙂 Thanks for your help
What do you get when you run this search. Also, can you share sample event with each of the error code (ERROR, exception, timeout).
index=** host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | table _time host err
HI Sundaresh,
I did get good results now with the first string that you have provided and thanks a lot (might be some mistake at my end)
Just a last concern ... as mentioned today i see lot of NULL in the bars .. clicking it leads nowhere, is it possible to remove it or hide it from the search results
Add usenull=f
to the chart command. I've updated the original answer
Perfect 🙂
Will get back to you if i have any questions on my upcoming project
Please accept this answer to close it out