Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify my search in order to create stacked bar chart that shows errors, exceptions, or timeouts?

Kumar1980
New Member
‎10-03-2016 02:25 PM

HI ,

I am new to using Splunk Enterprise and not so familiar with the search strings and other stuff 🙂

here is my requirement :

search the logs for errors/exceptions/timeout/etc... and display it as a stacked bar view with color code

example: error - Red exception - green etc...

Y axis should have the count and X - axis should have source type

the resulting bar representation should show error/exception etc .. in stacked form with different colors, once we click on colors it should take us to the corresponding logs with the specific error/exception etc ...

Here is the search string : 

index=**  host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | TOP sourcetype

please suggest as this is something important for my ongoing project

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-03-2016 03:24 PM

Try this

index=**  host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | chart count over host by err usenull=f

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-03-2016 03:24 PM

Try this

index=**  host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | chart count over host by err usenull=f
0 Karma
Reply
Solved! Jump to solution

Kumar1980
New Member
‎10-09-2016 05:53 AM

Thanks Sundaresh,

This is getting me results but they are partial only

i can see a stacked bar with two colors, one of which is errors/exceptions (Bluish color) and the other is an orange/yellowish color which says null and clicking on it leads no where

Y axis should show the count and the stacked bar should have errors/exceptions/timeout etc... stacked with different colors

Unable to attach an image which represents this idea , which would have given a clear picture

Please suggest the changes to complete this 🙂 Thanks for your help

  • Praneeth
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-09-2016 07:19 AM

What do you get when you run this search. Also, can you share sample event with each of the error code (ERROR, exception, timeout).

index=**  host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | table _time host err
0 Karma
Reply
Solved! Jump to solution

Kumar1980
New Member
‎10-09-2016 07:46 AM

HI Sundaresh,

I did get good results now with the first string that you have provided and thanks a lot (might be some mistake at my end)

Just a last concern ... as mentioned today i see lot of NULL in the bars .. clicking it leads nowhere, is it possible to remove it or hide it from the search results

  • Praneeth
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-09-2016 08:13 AM

Add usenull=f to the chart command. I've updated the original answer

0 Karma
Reply
Solved! Jump to solution

Kumar1980
New Member
‎10-09-2016 08:37 AM

Perfect 🙂

Will get back to you if i have any questions on my upcoming project

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-09-2016 12:02 PM

Please accept this answer to close it out

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...