Splunk Search

Use subsearch for timechart

tgdvopab
Path Finder

I want to use two evals with subsearches. In the subsearches I would like to use a timechart to count the number of event per day.
At the end, I want to use a third timechart and display the two generated variables.
My code looks like the following:

index=lync_scs source="WinEventLog:Lync Server" | eval id_one = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=4410 | timechart span=1d count as id_one] | eval id_two = [ search index=lync_scs source="WinEventLog:Lync Server" EventCode=41113 | timechart span=1d count as id_two] | timechart span=1d values(id*)

Unfortunately, my search doesnt work.
Could you help me please? Thanks a lot!

Tags (3)
0 Karma

davebrooking
Contributor

Hi

I haven't tested this, but could you use something like

index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  | 
eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
eval available=if(EventCode!=700 OR EventCode!=702,1,0) |
timechart span=1d sum(available) as available sum(not_available) as not_available

You can also use eval functions within stats/chart/timechart commands, as shown in the Search Manual.

    index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  | 
    timechart span=1d sum(eval(if(EventCode!=700 OR EventCode!=702,1,0))) as available sum(eval(if(EventCode=700 OR EventCode=702,1,0))) as not_available

Dave

0 Karma

tgdvopab
Path Finder

Thanks a lot! So I have the following search:

index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application |
 eval not_available=if(EventCode=700 OR EventCode=702,1,0) |
 eval available=if(EventCode!=700 OR EventCode!=702,1,0) | timechart span=1d sum(available) as available_time, sum(not_available) as not_available_time

I need one field more.
This field is calculated like this:

eval sla = 100 - (not_available_time / available_time)^

Do you know, how can I include this in the timechart?

0 Karma

sundareshr
Legend

Just add eval sla = 100 - (not_available_time / available_time) to the end of your query.

0 Karma

tgdvopab
Path Finder

I forgot the return $id_one and return $id_two after the timechart in the evals

0 Karma

davebrooking
Contributor

Why are you using subsearches? Does the following come close to what you're trying to achieve?

index=lync_scs source="WinEventLog:Lync Server" (EventCode=4410 OR EventCode=41113) | timechart span=1d count by EventCode

Dave

0 Karma

tgdvopab
Path Finder

I used the code as an example.
This is my original search:

index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  | eval sla=99.9 | eval not_available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  EventCode=700 OR Eventcode=702 | timechart span=1d count as not_available | return $not_available] | eval available = [search index=testindex (host=server1 OR host=server2) sourcetype=WinEventLog:Application  EventCode!=700 OR Eventcode!=702 | timechart span=1d count as available | return $available] | eval sla2 = 100 - (not_available / available) | timechart span=1d values(*available)

Do you know another way?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...