Splunk Search

How to include 2 search in one results?

leznx
Engager

Hi,

I have one problem here.

I need to create a search with 2 groups, and create a chart with result.

Example, my search :

index=inc_ group="Ti" OR group="Support" OR group="admin" OR group="helpdesk" | stats count(eval(match(group,"TI,Support"))) AS Operation , count(eval(match(Grupo,"admin,helpdesk"))) AS Administrative

How create a graph with this query?

I try using | timechart count by Operation|Administrative but i not have success

Help 😞

Tags (3)
0 Karma
1 Solution

splunk68
Path Finder

You can split your search in 2 searches and append them together. Try something like that (after correcting your typos):

index=inc_ group="Ti" OR group="Support" OR group="admin" OR group="helpdesk" | stats count(eval(match(group,"TI,Support"))) AS "Operation" by _time | append [search index=inc_ group="admin" OR group="helpdesk" | stats count(eval(match(group,"admin,helpdesk"))) AS "Administrative" by _time] | stats values("Operation"), values("Administrative") by _time

View solution in original post

linu1988
Champion

So did the search gave you the result?

|Timechart Operation,Administrative

0 Karma

leznx
Engager

Sorry linu1988!

It's a error in my digitation

The search is:

count(eval(match(group,"TI,Support"))) AS Operation , count(eval(match(group,"admin,helpdesk"))) AS Administrative

0 Karma

splunk68
Path Finder

You can split your search in 2 searches and append them together. Try something like that (after correcting your typos):

index=inc_ group="Ti" OR group="Support" OR group="admin" OR group="helpdesk" | stats count(eval(match(group,"TI,Support"))) AS "Operation" by _time | append [search index=inc_ group="admin" OR group="helpdesk" | stats count(eval(match(group,"admin,helpdesk"))) AS "Administrative" by _time] | stats values("Operation"), values("Administrative") by _time

splunk68
Path Finder

I can't test it right now, but if you remove "by _time" everywhere in the search, it should give you the count for Operation and the count Administrative, so that you just have to create a report and select pie chart.

0 Karma

leznx
Engager

Thx bro! Perfect!!

I have one more question about this topic, how to add values in one pie graph? It's possible? Ex : Operation vs Administrative

0 Karma

linu1988
Champion

count(eval(match(Grupo,"admin,helpdesk"))) in the part

"Grupo" is a field or a typo error in the search?

And i suppose Operation/Administrative are fields!!! You should put |Timrchart Operation,Administrative

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...