Splunk Search

How to generate a timechart from multiple data sources?

ataunk
Explorer

I need a time chart from multiple source --

First source search : host=abcdefgh source="Test.log" index=app_ops_prod SessionID="*"
Second Source search : host=abcdefgh source="Test.log" index=app_ops_prod "error.timeout"
Third Source search : host=abcdefgh source="Test.log" index=app_ops_prod "error.badurl"

My SessionID is a field, but other two strings might be present in the raw log. In short, for one request a log line is generated which will always have a SessionID, but few log lines may contain error. I want a timechart that will show number of request (i.e. count of SessionID) and the errors in all the request.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

host=abcdefgh source="Test.log" index=app_ops_prod (SessionID="*" OR "error.timeout" OR  "error.badurl" )
| eval TimeoutError=if(searchmatch("error.timeout"),1,0) | eval BadUrlError=if(searchmatch("error.badurl"),1,0) 
| timechart count(SessionID) as NoOfRequests sum(TimeoutError) as TimeoutError sum(BadUrlError) as BadUrlError

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

host=abcdefgh source="Test.log" index=app_ops_prod (SessionID="*" OR "error.timeout" OR  "error.badurl" )
| eval TimeoutError=if(searchmatch("error.timeout"),1,0) | eval BadUrlError=if(searchmatch("error.badurl"),1,0) 
| timechart count(SessionID) as NoOfRequests sum(TimeoutError) as TimeoutError sum(BadUrlError) as BadUrlError

ataunk
Explorer

This is working as expected.

0 Karma

arcdevil
Path Finder

Plz try that.

index=app_ops_prod host=abcdefgh source="Test.log" SessionID="*" | timechart span=1m count(SessionID) | appendcols [search index=app_ops_prod host=abcdefgh source="Test.log" ("error.badurl" OR "error.timeout") | timechart span=1m count]

Also on the chart, you can add the chart overlay to better illustrate your data.

0 Karma

ataunk
Explorer

Not sure about this. It is not giving expected results. But, the one answer posted below seems to work fine

0 Karma

arcdevil
Path Finder

No problem 🙂 I'm glad to hear that your problem has been solved.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...