Splunk Search

sum two fileds count on linechart

Javo222
Path Finder

I have two fields trigger0 and trigger that occur several times per hour and I would like the sum (number of occurrences) of both over a one-hour timespan. I tried a lot of things from the forum but I always get "no result found".
A few examples of what I've tried:

source="*0307.log*" trigger0=* trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")"  ] | timechart span=1h sum( eval(count(trigger) + count(trigger0)) ) as totaltrigger


source="*0307.log*" trigger0=* trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")"  ] | timechart span=1h count(trigger) count(trigger0)

It's the part after the last pipe that causes problem, I'm using the first part in other graphs.

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Your search could be

source="*0307.log*" trigger0=* OR trigger=*  
    [ search trigger0=* | head 1 
     | eval earliest=relative_time(lastTime,"-15d")
     | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] 
| eval  triggerMain = trigger+ trigger0
| timechart span=1h count(triggerMain) as triggerMain

If for some reason that doesn't work, then you could also do

source="*0307.log*" trigger0=* OR trigger=*  
    [ search trigger0=* | head 1 
     | eval earliest=relative_time(lastTime,"-15d")
     | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] 
 | timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001
 | eval triggerMain = trigger01+ trigger001
 | fields - trigger01 trigger001

Also, I am unclear why you need all the fancy stuff for setting earliest and latest. You may get the same result by doing this:

source="*0307.log*" trigger0=* OR trigger=*  
| eval  triggerMain = trigger + trigger0
| timechart fixedrange=F span=1h count(triggerMain) as triggerMain

View solution in original post

lguinn2
Legend

Your search could be

source="*0307.log*" trigger0=* OR trigger=*  
    [ search trigger0=* | head 1 
     | eval earliest=relative_time(lastTime,"-15d")
     | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] 
| eval  triggerMain = trigger+ trigger0
| timechart span=1h count(triggerMain) as triggerMain

If for some reason that doesn't work, then you could also do

source="*0307.log*" trigger0=* OR trigger=*  
    [ search trigger0=* | head 1 
     | eval earliest=relative_time(lastTime,"-15d")
     | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] 
 | timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001
 | eval triggerMain = trigger01+ trigger001
 | fields - trigger01 trigger001

Also, I am unclear why you need all the fancy stuff for setting earliest and latest. You may get the same result by doing this:

source="*0307.log*" trigger0=* OR trigger=*  
| eval  triggerMain = trigger + trigger0
| timechart fixedrange=F span=1h count(triggerMain) as triggerMain

Javo222
Path Finder

Your second solution works fine. I need the fancy stuff because I only want to see the last 15 days of event and the latest event is not always "now".

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Your first problem may be:

(trigger0=* OR trigger=*)

Without seeing more of what your data looks like I can't comment further on your search, but the "no result found" problem may be taken care of with using an OR between your trigger conditions if you don't have BOTH trigger0 and trigger in every event.

Again, without seeing more of what your data looks like, it is hard to tell what is wrong.

Javo222
Path Finder

both are extracted fields and there are always present in different events.
an event looks like:

2015-02-22 23:59:35,255  INFO  [0.809.1.31.] .........  Start executing rule with ID 304. Triggered by a MotionDetection at 05:59:35 (Utc).
0 Karma

Javo222
Path Finder

Ok, I almost got it. This works:

source="*0307.log*" trigger0=* OR trigger=*  [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001| eval triggerMain = trigger01+ trigger001

But all three charts are displayed (trigger01,trigger001, triggerMain) and I would like to chart only triggerMain. I haven't managed so far

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Try:

source="*0307.log*" trigger0=* OR trigger=*  [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)+count(trigger0)) as triggerMain

Javo222
Path Finder

@Cpetterborg 's solution works fine and looks easier than lguinn

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...