Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

2 Searches on the same bar chart - (further detail described)

lanode
Path Finder
‎11-05-2012 03:49 AM

OK - I've got 2 searches:-

sourcetype="Telephone Log" 213 NOT "<I>" 
sourcetype="Telephone Log" 213 NOT "<I>" | regex _raw!=(\b\d\d:00'\d\d)

The first search captures all outbound calls from extension 213

The second search captures all outbound calls from extension 213 that are in excess of 1 miunte

I would like to plot these 2 searches on the same bar chart. With the bars overlayed.

So, for any selected timeframe I can see how many outbound calls have been made on any particluar day and overlayed on that bar another showing me the number of calls that were in excess of 1 minute.

Any help is very much appreciated.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lanode
Path Finder
‎11-06-2012 02:27 AM

Thank you guys for your responses to my problem.

I think I've found the solution. It is an adaptation of "yannK's" first suggestion.

Solution :-

sourcetype="Telephone Log" 213 NOT "<I>" 
| timechart count as CALLS
| appendcols [ search 213 NOT "<I>" | regex _raw!=(\b\d\d:00'\d\d) | timechart count as Excess1min ]

I've tested it and compared results with raw data and all looks good so far.

Thanks again for your swift help with this matter. - Much appreciated

View solution in original post

Reply
Solved! Jump to solution
Solution

lanode
Path Finder
‎11-06-2012 02:27 AM

Thank you guys for your responses to my problem.

I think I've found the solution. It is an adaptation of "yannK's" first suggestion.

Solution :-

sourcetype="Telephone Log" 213 NOT "<I>" 
| timechart count as CALLS
| appendcols [ search 213 NOT "<I>" | regex _raw!=(\b\d\d:00'\d\d) | timechart count as Excess1min ]

I've tested it and compared results with raw data and all looks good so far.

Thanks again for your swift help with this matter. - Much appreciated

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎11-05-2012 05:56 PM

@YannK gives two good strategies, but if they're not doing what you want, consider this approach. Instead of using regex to filter, use rex with a capture group to do like Yann suggested. Use this captured variable to set a sort of binary flag, like: 

eval longer_than_minute=if(isnotnull(<captured_var>, "Y", "N")
Then you can stats count by longer_than_minute.

Furthermore, I'll point out that if there's an <O> flag to signal an outbound call (to contrast the <I> flag for inbound calls), you're better off searching for that as a positive match, rather than NOT; bloom filters will often make a positive match faster than a negative match.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2012 07:03 AM

  • First, you are missing stats commands to return data in a chart format,
    by example | stats count

  • One method is to merge results from 2 searches, and distinguish them by one field, in this case I use the field "type"
    Then use an append between the 2 searches.

sourcetype="Telephone Log" 213 NOT ""
| eval type="searchA"
| stats count by type
| append [ sourcetype="Telephone Log" 213 NOT ""
| regex _raw!=(bdd:00'dd)
| eval type="searchB"
| stats count by type ]

  • Another method is to use a single search, and use the result of the regex field extraction to distinguish them

sourcetype="Telephone Log" 213 NOT ""
| regex "(?<myregex>bdd:00'dd)"
| fillnull myregex value="not found"
| stats count by myregex

Reply
Solved! Jump to solution

lanode
Path Finder
‎11-05-2012 08:08 AM

I like it, but doesn't quite do what I require. Probably because I didn't give you enough detail in my original question. Anyway, I have edited the orignal to provide further information. Thank you for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...