Multiple timechart counts in one search

nanomatical · ‎08-12-2015

Hey Guys, i have spent all day trying to do this:

So this search:

index=nexus RNA-IVS "login failed" | timechart count

provides me with

date count
mon 8
tue 5
wed 3

Its counting all results with the string "login failed".

NOW, what i need is it to do two string counts of different words so i get this result:

date count1 (login failed) count2 (passed)
mon 8 3
tue 5 2
wed 3 3

please assist 😞

Regards

FritzWittwer_ol · ‎08-13-2015

you could try
index=nexus RNA-IVS | rex field=_raw ".login (?\s+)." | timechart count by logstate

make to regexp to match your fields

lguinn2 · ‎08-12-2015

Try this

index=nexus RNA-IVS "login failed" OR passed
| eval status = if(match(_raw,"(?i)login failed"),"Login failed","Passed")
| timechart count by status

If you want to do this for more fields, that is possible. You could have multiple eval statements with different criteria. As long as you assign the appropriate value to status, the above will work.

However, I think you should consider creating some eventtypes for your data. This would let you categorize the information in a number of ways. Let's say that you named your eventtypes RNA_login_failed, RNA_login_success, RNA_connection_started etc. Now your search would be very simple (and flexible):

index=nexus RNA-IVS eventtype=RNA*
| timechart count by eventtype

And if in the future you create more RNA* eventtypes, this search will automatically pick them up.

Video tutorial on eventtypes
Docs on eventtypes

nanomatical · ‎08-12-2015

Thanks for this, it works great, however can i add more than two fields also? I need about four

Regards

nanomatical · ‎08-13-2015

How i wish somebody would answer 😞

lguinn2 · ‎08-13-2015

We do this for free... and in the middle of the night in my timezone... just sayin'

Multiple timechart counts in one search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life