Splunk Search

Have the following queries

query 1 - cf_org_name="xxx" cf_space_name="yyy" cf_app_name=zzz index=123* msg= "Transaction completed" | timechart count AS Succesfull_Tran span=60m

query 2 - cf_org_name="xxx" cf_space_name="yyy" cf_app_name=zzz index=123* msg= "ERROR" | timechart count AS Failed_Tran span=60m

Need help to combine the resultset into a single timechart table . Tried append and it dosent not give the desired output .

Desired Output

_time | Succesfull_Tran | Failed_Tran

Like this:

index="123*" AND cf_org_name="xxx" AND cf_space_name="yyy" AND cf_app_name="zzz" 
| timechart span=60m count(eval(msg="ERROR")) AS Failed_Tran count(eval(msg="Transaction completed")) AS Succesfull_Tran

Hi,

Try this too

cf_org_name="xxx" cf_space_name="yyy" cf_app_name=zzz index=123*
| timechart span=1h count as Total , count(eval(msg="Transaction completed")) as Succesfull_Tran , count(eval(msg="ERROR")) as Failed_Tran

| timechart span=60m count by msg

You can also create a new variable and timechart by that

| eval Success = if(msg="Transaction Completed","Success","Error")
| timechart span=60m count by Success

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

Unleash the power of Splunk Observability Watch Now In this can't miss Tech Talk! The Splunk Growth ...