Splunk Search

Have the following queries

query 1 - cf_org_name="xxx" cf_space_name="yyy" cf_app_name=zzz index=123* msg= "Transaction completed" | timechart count AS Succesfull_Tran span=60m

query 2 - cf_org_name="xxx" cf_space_name="yyy" cf_app_name=zzz index=123* msg= "ERROR" | timechart count AS Failed_Tran span=60m

Need help to combine the resultset into a single timechart table . Tried append and it dosent not give the desired output .

Desired Output

_time | Succesfull_Tran | Failed_Tran

Like this:

index="123*" AND cf_org_name="xxx" AND cf_space_name="yyy" AND cf_app_name="zzz" 
| timechart span=60m count(eval(msg="ERROR")) AS Failed_Tran count(eval(msg="Transaction completed")) AS Succesfull_Tran

Hi,

Try this too

cf_org_name="xxx" cf_space_name="yyy" cf_app_name=zzz index=123*
| timechart span=1h count as Total , count(eval(msg="Transaction completed")) as Succesfull_Tran , count(eval(msg="ERROR")) as Failed_Tran

| timechart span=60m count by msg

You can also create a new variable and timechart by that

| eval Success = if(msg="Transaction Completed","Success","Error")
| timechart span=60m count by Success

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...