Solved: Timechart by Two Fields

wolfreb · ‎07-20-2016

This is probably the simplest thing, but I can't find the answer: I am searching for all events with either eventCode I0H or I0L and I want to display a count of them, separated by the channelCode value that is also in the event. Here is my search:

index=QV eventCode=IOH OR eventCode=I0L

Then I want to do a timechart to show me the count of I0H events and the count of I0L events separated by the channelCode:

| timechart span=1d count(eventCode) by channelCode

... but the problem is, I'm getting the count by channelCode, but it's the counts of I0H and I0L events combined. For example: I have 4 I0L events; two have a channelCode of DSK and two have a channelCode of MBL, and 4 are I0H events, split 2 and 2 between DSK and MBL. I'm getting a chart with a bar for MBL and a bar for DSK with a count of 4 in each How do I get them to be separated by eventCode also?

somesoni2 · ‎07-20-2016

Try like this

index=QV eventCode=IOH OR eventCode=I0L | eval channelCode=channelCode.":".eventCode  | timechart span=1d count by channelCode

View solution in original post

somesoni2 · ‎07-20-2016

Try like this

index=QV eventCode=IOH OR eventCode=I0L | eval channelCode=channelCode.":".eventCode  | timechart span=1d count by channelCode

wolfreb · ‎07-20-2016

Thank you for your suggestion! That works! I get four bars in my Visualization with the suggested solution. Do you know if there's a way to get a stacked bar chart with one bar per eventCode containing multiple colors per bar to represent each channelCode per eventCode? Maybe that is a different question alltogether...

Timechart by Two Fields

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms