- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Timechart search and subsearch together
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart search and subsearch together
I'm trying to graph the total number of hits to our website alongside the total number of hits to a subset of pages within the site. I've seen a few examples using eval, stats, and append, but can't seem to make anything work
Here is what I have so far.....
index="iis_logs"
| eval SearchNumber="cs_uri_stem=/site1* OR cs_uri_stem=/site1a*"
| stats count(cs_uri_stem) by SearchNumber
| append [search index="iis_logs"
| eval SearchNumber=
"cs_uri_stem="*subsite1*" OR
cs_uri_stem="*subsite2*" OR
cs_uri_stem="*subsite3*" OR
cs_uri_stem="*subsite4*""
| stats count(cs_uri_stem)]
| timechart span=1h count by SearchNumber
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Hiroshi, that did the trick.
I have a new issue regarding the size of the subsearch. I received a warning that the subsearch was taking longer than 60 secs so I added "maxtime=3660" to resolve that issue.
Now I am getting an error that the subsearch has exceeded 50,000 results so it is being truncated.
Is there a way to modify this search to avoid using a subsearch?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have fixed in inferred from the statement of your search.
index="iis_logs" (cs_uri_stem="/site1" OR cs_uri_stem="/site1a")|
eval SearchNumber="site1" | append [search index="iis_logs" (cs_uri_stem="subsite1" OR cs_uri_stem="subsite2" OR cs_uri_stem="subsite3" OR cs_uri_stem="subsite4")| eval SearchNumber="subsite" ] | timechart span=1h count by SearchNumber
(result)
_time site1 subsite
.....
13/10/16 02:00 100 200
13/10/16 03:00 300 400
.....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sub search is not required.
index="iis_logs" (cs_uri_stem="/site1" OR cs_uri_stem="/site1a" OR cs_uri_stem="subsite1" OR cs_uri_stem="subsite2" OR cs_uri_stem="subsite3" OR cs_uri_stem="subsite4")|
eval SearchNumber=case(cs_uri_stem=="/site1","site1",cs_uri_stem=="/site1a","site1",cs_uri_stem=="subsite1","subsite",cs_uri_stem=="subsite2","subsite",cs_uri_stem=="subsite3","subsite",cs_uri_stem=="subsite4","subsite") |
| timechart span=1h count by SearchNumber
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Hiroshi, that did the trick.
I have a new issue regarding the size of the subsearch. I received a warning that the subsearch was taking longer than 60 secs so I added "maxtime=3660" to resolve that issue.
Now I am getting an error that the subsearch has exceeded 50,000 results so it is being truncated.
Is there a way to modify this search to avoid using a subsearch?
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
Everything Community at .conf24!
Index This | I’m short for "configuration file.” What am I?
