I'm new to Splunk, trying to understand how these codes work out
Basically i have 2 kinds of events, that comes in txt log files.
type A has "id="39" = 00" and type B has something else other than 00 into this same field..
How can I create a bar chart that shows, day-to-day, how many A's and B's do I have?
I searched a lot of examples and the best I could get was a Type A (badly formed)
index=demo_bs
| bucket _time span=24h
| stats sum(eval(if((date_hour>=23) OR (date_hour<11),1,0))) as TimeWindowCount by _time
| appendcols
[search index=demo_bs "<field id="39" value="00"/>"
| stats count as Aprovadas]
| eventstats max(Aprovadas) as Aprovadas
| rename TimeWindowCount as "Historical Count During Window"
| rename Aprovadas as "Aproved Transactions"
Not sure what the TimeWindowCount field is doing in your query (considering you want to show count of type A and type b only), but I'will keep that field in the result. Try like this (change the field name typeA and typeB per your need, in all places)
index=demo_bs
| eval typeA=if(searchmatch("<field id="39" value="00"/>"),1,0)
| eval typeB=abs(1-typeA)
| eval TimeWindow=if((date_hour>=23) OR (date_hour<11),1,0)
| timechart span=1d sum(typeA) as "Aproved Transactions" sum(typeB) as "NameOfTypeB Here" sum(TimeWindow) as "Historical Count During Window"
@coronelfoca - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!
Not sure what the TimeWindowCount field is doing in your query (considering you want to show count of type A and type b only), but I'will keep that field in the result. Try like this (change the field name typeA and typeB per your need, in all places)
index=demo_bs
| eval typeA=if(searchmatch("<field id="39" value="00"/>"),1,0)
| eval typeB=abs(1-typeA)
| eval TimeWindow=if((date_hour>=23) OR (date_hour<11),1,0)
| timechart span=1d sum(typeA) as "Aproved Transactions" sum(typeB) as "NameOfTypeB Here" sum(TimeWindow) as "Historical Count During Window"
Hi coronelfoca,
When your log was indexed, the id and value fields should have been extracted. If not, extract these two fields from your events.
Then you can use the eval command to classify event types using id and value as criteria. The following example assumes all your events are either TypeA or TypeB:
index=demo_bs | timechart span=1d count(eval(id="39" AND value="00")) as TypeA, count as All | eval TypeB = All - TypeA | fields - All
Then, use visualization to view the data in a bar chart.
Hope this helps. Thanks!
Hunter
Hi coronetfoca,
I hope I got your question right, but this should give you a point to start:
| gentimes start=-1
| eval foo="\"id=\"39\" = 00\", \"id=\"39\" = 01\"", _time=now()
| rex max_match=0 field=foo "\"id=\"39\"\s=\s(?<myFoo>[^\"]+)\""
| mvexpand myFoo
| eval approved=if(myFoo="00",1,null()), not-approved=if(myFoo>"00",1,null())
| chart count(approved) AS approved count(not-approved) AS not-approved by _time
This will give you an example and the important lines are the two last ones, lines 1-4 are only used to produce fake events.
So what happens here:
| gentimes start=-1
will create a dummy event
| eval foo="\"id=\"39\" = 00\", \"id=\"39\" = 01\"", _time=now()
evals foo
and _time
| rex max_match=0 field=foo "\"id=\"39\"\s=\s(?<myFoo>[^\"]+)\""
using regex we get the value you need into a field called myFoo
| mvexpand myFoo
expands the multivalue field into single value field
| eval approved=if(myFoo="00",1,null()), not-approved=if(myFoo>"00",1,null())
checking if the value of myFoo
matches an approved or a not-approved
| chart count(approved) AS approved count(not-approved) AS not-approved by _time
charting it by time
Just adapt it to your needs with the historical counts.
Hope this helps ...
cheers, MuS