Splunk Search

Multiple timechart counts in one search

New Member

Hey Guys, i have spent all day trying to do this:

So this search:

index=nexus RNA-IVS "login failed" | timechart count

provides me with

date count
mon 8
tue 5
wed 3

Its counting all results with the string "login failed".

NOW, what i need is it to do two string counts of different words so i get this result:

date count1 (login failed) count2 (passed)
mon 8 3
tue 5 2
wed 3 3

please assist 😞


Tags (2)
0 Karma


you could try
index=nexus RNA-IVS | rex field=_raw ".login (?\s+)." | timechart count by logstate

make to regexp to match your fields

0 Karma


Try this

index=nexus RNA-IVS "login failed" OR passed
| eval status = if(match(_raw,"(?i)login failed"),"Login failed","Passed")
| timechart count by status

If you want to do this for more fields, that is possible. You could have multiple eval statements with different criteria. As long as you assign the appropriate value to status, the above will work.

However, I think you should consider creating some eventtypes for your data. This would let you categorize the information in a number of ways. Let's say that you named your eventtypes RNA_login_failed, RNA_login_success, RNA_connection_started etc. Now your search would be very simple (and flexible):

index=nexus RNA-IVS eventtype=RNA*
| timechart count by eventtype

And if in the future you create more RNA* eventtypes, this search will automatically pick them up.

Video tutorial on eventtypes
Docs on eventtypes

0 Karma

New Member

Thanks for this, it works great, however can i add more than two fields also? I need about four


0 Karma

New Member

How i wish somebody would answer 😞

0 Karma


We do this for free... and in the middle of the night in my timezone... just sayin'

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...