Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart 2 different fields in one search

sbattista09
Contributor
‎01-30-2015 05:06 PM

I seem to be having issues with time charting, i want to get a trend over time for more then one field. I have tried a few different ways but can get my head around it. I would like to build this off of the example below.

Example "This is in a stacked Column view" -
index=index1 |eval RISK=case(RISK==4,"High",RISK==5,"Severe") |chart count by SUBCATEGORY,RISK useother=f usenull=f

let me know if you need anymore information, i know this is a pretty general question.

thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fdi01
Motivator
‎02-02-2015 06:10 AM

use simplily timechart command. is this show you dynamic chart of this two host on times..

index=index1 |eval RISK=case(RISK==4,"High",RISK==5,"Severe") |timechart count by RISK, SUBCATEGORY useother=f usenull=f
or
index=index1 |timechart count(eval RISK=4) as "High" count(eval RISK=5) as "Severe" by SUBCATEGORY useother=f usenull=f

View solution in original post

Reply
Solved! Jump to solution

sbattista09
Contributor
‎02-02-2015 05:54 PM

still getting odd results-

|timechart count(eval RISK=4) as "High" count(eval RISK=5) as "Severe" by SUBCATEGORY useother=f usenull=f gave me a chart however it did not count anything, all the results were 0.

|eval RISK=case(RISK==4,"High",RISK==5,"Severe") |timechart count by RISK, SUBCATEGORY useother=f usenull=f gave me "Error in 'timechart' command: The argument 'SUBCATEGORY' is invalid."

Thanks for the help!

0 Karma
Reply
Solved! Jump to solution
Solution

fdi01
Motivator
‎02-02-2015 06:10 AM

use simplily timechart command. is this show you dynamic chart of this two host on times..

index=index1 |eval RISK=case(RISK==4,"High",RISK==5,"Severe") |timechart count by RISK, SUBCATEGORY useother=f usenull=f
or
index=index1 |timechart count(eval RISK=4) as "High" count(eval RISK=5) as "Severe" by SUBCATEGORY useother=f usenull=f

Reply
Solved! Jump to solution

sbattista09
Contributor
‎02-02-2015 05:12 AM

thanks,

however i wanted to turn this into a time chart to see a trend over time. Do you think this would be possible ?

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎01-31-2015 09:54 AM 
index=index1 
|chart count(eval RISK=4) as "High" count(eval RISK=5) as "Severe" by SUBCATEGORY useother=f usenull=f
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...