,Stats count result naming

TCK101 · ‎12-27-2017

I have a number of saved searches - and I am appending all the counts to form a total which works fine

Basically I would now like to have a time chart of this and bar contain the weekly total each of the saved searches and have the counts for each saved search as service 1 , service 2, service 3

would I need to eval each saved search?

TCK101 · ‎02-03-2018

Thanks

how would I be able to split each of the Service1 service 2 and service 3 as their OWN line / bar in the timechart result?

somesoni2 · ‎12-27-2017

Try like this

|savedsearch "Service 1" | timechart span=1w count as Service1
| append [| savedsearch "Service 2" | timechart span=1w count as Service2 ] 
| append [| savedsearch "Service 3" | timechart span=1w count as Service3] 
| timechart span=1w sum(*) as *

Please note that for timechart command to work, you need _time field so ensure that your savedsearch results contain _time field.

micahkemp · ‎12-27-2017

It's important to note that in @somesonie2's response he used timechart instead of stats in the append search. The search posted in the original question used stats, which would definitely drop _time from the results, preventing you from using timechart further down the search.

kamlesh_vaghela · ‎12-27-2017

HI @TCK101,

Can you please try this?

|savedsearch "Service 1" | eval mysavedsearch="Service 1"
| append [savedsearch "Service 2" | eval mysavedsearch="Service 2" ] 
| append [savedsearch "Service 3" | eval mysavedsearch="Service 3"] 
|timechart span=1w count by mysavedsearch

TCK101 · ‎12-27-2017

This does not work.

Note I have 3 saved searches .

,Stats count result naming

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!