Hello I have the below two queries
QUERY1
index=abc NOT *UNKNOWN* HTTP_Code=404|stats count by HTTP_Code AS "ACTUAL COUNT"
OUTPUT
HTTP_COde Count
404 50
QUERY2
index=abc *UNKNOWN* HTTP_Code=404 |stats count by HTTP_Code as UNKNOWN_COUNT
OUTPUT
HTTP_COde Count
404 80
I am trying to do a timechart ,where in the chart one line shows the unknown count and other shows the actual count .
Thanks in advance
Like this:
index=abc
| timechart count(eval(searchmatch("NOT *UNKNOWN*"))) AS ActualCount count(eval(searchmatch("*UNKNOWN*"))) AS UnknownCount BY HTTP_Code
OR
Like this:
index=abc HTTP_Code=404
| timechart count(eval(searchmatch("NOT *UNKNOWN*"))) AS ActualCount_404 count(eval(searchmatch("*UNKNOWN*"))) AS UnknownCount_404
It did not work ,I tried using append and it worked
index=abc UNKNOWN |timechart span=1h count(HTTP_Code) as "UNKNOWN 404 Count" |append[search index=abc NOT UNKNOWN HTTP_Code=404 |timechart span=1h count(HTTP_Code) as "OTHER 404 Count"]
GIve this a try
index=abc HTTP_Code=404 | eval Unknown=if(searchmatch("UNKNOWN"),1,0) | eval Actual=abs(1-Unknown)
| timechart sum(Unknown) as UNKNOWN_COUNT sum(Actual) as ACTUAL_COUNT
It did not work ,I tried using append and it worked
index=abc UNKNOWN |timechart span=1h count(HTTP_Code) as "UNKNOWN 404 Count" |append[search index=abc NOT UNKNOWN HTTP_Code=404 |timechart span=1h count(HTTP_Code) as "OTHER 404 Count"]