Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timchart - Search queries

ppurokit
Path Finder
‎05-11-2014 08:16 AM

Hi All,

I have the following search queries with me.

index=XXX CISE_Failed_Attempts | timechart span=30m count by CISE_Failed_Attempts | rename NULL as "Failed Authentication Count"

index=XXX CISE_Passed_Authentications | timechart span=30m count by CISE_Passed_Authentications | rename NULL as "Passed Authentications Count"

Is there a way where i could combine both the queries together into a single query like the following

index=XXX CISE_Passed_Authentications OR CISE_Failed_Attempts | timechart span=30m count by CISE_Passed_Authentications , CISE_Failed_Attempts

Individually the search queries work fine. But when i try to do a timechart with two fields it fails.

Please suggest a way to overcome this issue.

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-11-2014 08:29 AM

The most naive way to combine the two would be appendcols:

index=XXX CISE_Failed_Attempts | timechart span=30m count by CISE_Failed_Attempts | rename NULL as "Failed Authentication Count"
| appendcols 
[ search index=XXX CISE_Passed_Authentications | timechart span=30m count by CISE_Passed_Authentications | rename NULL as "Passed Authentications Count" ]

Depending on your data, you may be able to combine the two more smartly, for example like this:

index=XXX CISE_Failed_Attempts OR CISE_Passed_Authentications | eval CISE_Combined = coalesce(CISE_Failed_Attempts, CISE_Passed_Authentications) | timechart span=30m count by CISE_Combined

Note, I've assumed that those two fields have reasonable values... I'm doubting that assumption a bit because of your use of the NULL column. Post some sample data to investigate that.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-11-2014 09:47 AM

What values do those two fields CISE_Failed_Attempts and CISE_Passed_Authentications have that you use to group by? If their values are distinct then combining them before the timechart will still yield their distinct values for each column.

0 Karma
Reply

ppurokit
Path Finder
‎05-11-2014 09:45 AM

I hope i cant make use of the coalesce command because both are combined together into a single column. But i need both to be separate.

As said i can make use of the said appendcols,but fear that im executing two searches at the same time which could take more time to run.

0 Karma
Reply

ppurokit
Path Finder
‎05-11-2014 09:39 AM

Thanks for the update. Actually my intention is to combine these into a single query and put it into a summary index using sitimechart command and then again write a query to populate back the dashboard,

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...