- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to modify my search in order to create stacked...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI ,
I am new to using Splunk Enterprise and not so familiar with the search strings and other stuff 🙂
here is my requirement :
search the logs for errors/exceptions/timeout/etc... and display it as a stacked bar view with color code
example: error - Red exception - green etc...
Y axis should have the count and X - axis should have source type
the resulting bar representation should show error/exception etc .. in stacked form with different colors, once we click on colors it should take us to the corresponding logs with the specific error/exception etc ...
Here is the search string :
index=** host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | TOP sourcetype
please suggest as this is something important for my ongoing project
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=** host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | chart count over host by err usenull=f
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=** host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | chart count over host by err usenull=f
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Sundaresh,
This is getting me results but they are partial only
i can see a stacked bar with two colors, one of which is errors/exceptions (Bluish color) and the other is an orange/yellowish color which says null and clicking on it leads no where
Y axis should show the count and the stacked bar should have errors/exceptions/timeout etc... stacked with different colors
Unable to attach an image which represents this idea , which would have given a clear picture
Please suggest the changes to complete this 🙂 Thanks for your help
- Praneeth
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you get when you run this search. Also, can you share sample event with each of the error code (ERROR, exception, timeout).
index=** host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | table _time host err
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Sundaresh,
I did get good results now with the first string that you have provided and thanks a lot (might be some mistake at my end)
Just a last concern ... as mentioned today i see lot of NULL in the bars .. clicking it leads nowhere, is it possible to remove it or hide it from the search results
- Praneeth
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add usenull=f to the chart command. I've updated the original answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect 🙂
Will get back to you if i have any questions on my upcoming project
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please accept this answer to close it out
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
