Solved: Chart sum as well as the source numbers

MattQ · ‎04-11-2013

I would like to return a chart that has
LOGIN SUCCESS
LOGIN FAILURE
and TOTAL LOGIN ATTEMPTS.

In my logs I return raw text of LOGIN SUCCESS and LOGIN FAILURE.

I can search and return everything with "LOGIN" and chart that over time. How do I then subsearch for the raw text in those results for "SUCCESS" and separately "FAILURE" and return the count of all three in a timechart. (the top line - all login, should equal the total of the SUCCESS and FAILURE).

I am looking to produce this for trending to spot anomalies.

Essentially
... AND ("LOGIN SUCCESS" OR "LOGIN FAILURE") |timechart count

but how do I get this to return as two separate count lines?

Ayn · ‎04-11-2013

Create a field extraction for the login action (see http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime ) then split your timechart by this field.

... | timechart count by login_action

(or whatever you choose to call your field)

You can then choose to stack your chart so that you get a total count in the chart that way.

View solution in original post

Ayn · ‎04-11-2013

Create a field extraction for the login action (see http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime ) then split your timechart by this field.

... | timechart count by login_action

(or whatever you choose to call your field)

You can then choose to stack your chart so that you get a total count in the chart that way.

Chart sum as well as the source numbers

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...