- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I create a chart based on two separate sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I create a chart based on two separate searches?
I'm trying to create a chart like the one below, that shows the count for events containing errorname A, errorname B, etc. for each url. Basically in my application there are sessions - some of the events in the sessions contain url, and some contain errornames.
url | errorname | count
http..a | error.A | 37
| error.B | 20
http..b | error.A | 1
| error.B | 13
I can get a count of sessions with any error by url with this query:
url[search CASE(ERROR.)|fields sessionid | format] | stats count by url
I can get a count of events by errorname with this:
name [search CASE(ERROR.) AND platformtype="CCX*"| fields eventid | format] | stats count by name
But I can't get counts of each errorname for each url. Thanks for any help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if you did something like this?
yoursearchhere
| transaction sessionid
| search CASE(ERROR.)
| stats count by url name
This groups all the events for a session into a single event (transaction). Then it keeps only the transactions that have the ERROR. term. And finally it does the count.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
The query you posted gives me 0 results, though if I do
CASE(ERROR.) platformtype="CCX*"| stats count by name
I get a count of the events with each errorname.
Each unique session has a url. Each error event is part of a session, so that first query I posted above finds the urls for all the sessions that had errors, then does the count of events by url.
Each event that contains an error has an errorname ("name"). However, non-error events also have names.
What I'm trying to chart is this: for each url, how many events contained each errorname.
Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What happens if you do this?
CASE(ERROR.) platformtype="CCX*"
| stats count by url name
And if this isn't what you want, then my question is - how do you associate the urls with the error names?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
The query you posted gives me 0 results, though if I do
CASE(ERROR.) platformtype="CCX*"| stats count by name
I get a count of the events with each errorname.
Each unique session has a url. Each error event is part of a session, so that first query I posted above finds the urls for all the sessions that had errors, then does the count of events by url.
Each event that contains an error has an errorname ("name"). However, non-error events also have names.
What I'm trying to chart is this: for each url, how many events contained each errorname.
Thanks again.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
