Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I create a chart based on two separate searches?

julescarney
New Member
‎09-24-2013 10:25 AM

I'm trying to create a chart like the one below, that shows the count for events containing errorname A, errorname B, etc. for each url. Basically in my application there are sessions - some of the events in the sessions contain url, and some contain errornames.

url    |   errorname    | count

http..a |   error.A        | 37

      |   error.B        | 20

http..b |   error.A        | 1

      |   error.B        | 13

I can get a count of sessions with any error by url with this query:

url[search CASE(ERROR.)|fields sessionid | format] | stats count by url

I can get a count of events by errorname with this:

name [search CASE(ERROR.) AND platformtype="CCX*"| fields eventid | format] | stats count by name

But I can't get counts of each errorname for each url. Thanks for any help.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎09-27-2013 01:15 PM

What if you did something like this?

yoursearchhere
| transaction sessionid
| search CASE(ERROR.)
| stats count by url name

This groups all the events for a session into a single event (transaction). Then it keeps only the transactions that have the ERROR. term. And finally it does the count.

0 Karma
Reply

julescarney
New Member
‎09-24-2013 11:07 AM

Thanks for the reply.

The query you posted gives me 0 results, though if I do

CASE(ERROR.) platformtype="CCX*"| stats count by name

I get a count of the events with each errorname.

Each unique session has a url. Each error event is part of a session, so that first query I posted above finds the urls for all the sessions that had errors, then does the count of events by url.

Each event that contains an error has an errorname ("name"). However, non-error events also have names.

What I'm trying to chart is this: for each url, how many events contained each errorname.

Thanks again.

0 Karma
Reply

lguinn2
Legend
‎09-24-2013 10:45 AM

What happens if you do this?

CASE(ERROR.) platformtype="CCX*"
| stats count by url name

And if this isn't what you want, then my question is - how do you associate the urls with the error names?

0 Karma
Reply

julescarney
New Member
‎09-24-2013 11:07 AM

Thanks for the reply.

The query you posted gives me 0 results, though if I do

CASE(ERROR.) platformtype="CCX*"| stats count by name

I get a count of the events with each errorname.

Each unique session has a url. Each error event is part of a session, so that first query I posted above finds the urls for all the sessions that had errors, then does the count of events by url.

Each event that contains an error has an errorname ("name"). However, non-error events also have names.

What I'm trying to chart is this: for each url, how many events contained each errorname.

Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...