Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can this query be written more efficiently?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-19-2016
01:56 AM
It's a query for a staked column chart.
index=myCompIn source="/locatedin/mySrc.log" "Reply Back" "CAT-IN " "SOME STUFF" | append
[search index=myCompIn source="/locatedin/mySrc.log" "CAT-IN | 91.8.1952.7.4 | (false true false)"] | append
[search index=myCompIn source="/locatedin/mySrc.log" "CAT-IN | 91.8.1952.7.4 | (false false true)"]|timechart span=1d count AS aTXN | join _time
[search index=myCompIn source="/locatedin/mySrc.log" RT_DCC_TYPE=converted | append
[search index=myCompIn source="/locatedin/mySrc.log" "CAT-IN | 91.8.1952.7.4 | (false true false)"] | append
[search index=myCompIn source="/locatedin/mySrc.log" "CAT-IN | 91.8.1952.7.4 | (false false true)"] | timechart span=1d count AS bTXN]
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-20-2016
08:15 AM
Try this
index=myCompIn source="/locatedin/mySrc.log" ("Reply Back" "CAT-IN " "SOME STUFF") OR ("CAT-IN | 91.8.1952.7.4 | (false true false)" ) OR ("CAT-IN | 91.8.1952.7.4 | (false false true)") OR ( RT_DCC_TYPE=converted ) OR ( "CAT-IN | 91.8.1952.7.4 | (false true false)") OR ( "CAT-IN | 91.8.1952.7.4 | (false false true)" )
| eval catin=case(searchmatch("CAT-IN | 91.8.1952.7.4 | (false true false)",1,searchmatch("CAT-IN | 91.8.1952.7.4 | (false false true)",1,true(),0)
| eval aTXN=if(searchmatch("\"Reply Back\" \"CAT-IN \" \"SOME STUFF\""),1,0) + catin
| eval bTXN=if(searchmatch("RT_DCC_TYPE=converted"),1,0) + catin
| timechart span=1d sum(aTXN) as aTXN sum(bTXN) as bTXN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-20-2016
08:15 AM
Try this
index=myCompIn source="/locatedin/mySrc.log" ("Reply Back" "CAT-IN " "SOME STUFF") OR ("CAT-IN | 91.8.1952.7.4 | (false true false)" ) OR ("CAT-IN | 91.8.1952.7.4 | (false false true)") OR ( RT_DCC_TYPE=converted ) OR ( "CAT-IN | 91.8.1952.7.4 | (false true false)") OR ( "CAT-IN | 91.8.1952.7.4 | (false false true)" )
| eval catin=case(searchmatch("CAT-IN | 91.8.1952.7.4 | (false true false)",1,searchmatch("CAT-IN | 91.8.1952.7.4 | (false false true)",1,true(),0)
| eval aTXN=if(searchmatch("\"Reply Back\" \"CAT-IN \" \"SOME STUFF\""),1,0) + catin
| eval bTXN=if(searchmatch("RT_DCC_TYPE=converted"),1,0) + catin
| timechart span=1d sum(aTXN) as aTXN sum(bTXN) as bTXN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-20-2016
09:23 AM
This worked exactly. Tanx very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-19-2016
08:55 AM
Try this
*UPDATED*
index=myCompIn source="/locatedin/mySrc.log" "Reply Back" "CAT-IN | 91.8.1952.7.4" | timechart span=1d count(eval(match(_raw, "SOME STUFF")) as A count(eval(RT_DCC_TYPE="converted")) as B
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-20-2016
01:26 AM
Thanks for this sundareshr but no luck with it, I get the following error "Error in 'timechart' command: Repeated group-by field '_time'."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-20-2016
04:44 AM
Try the updated answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-20-2016
06:57 AM
Tanx. Still the same error code produced.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-20-2016
07:14 AM
🙂 try this time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfexsplunk
New Member
09-20-2016
07:20 AM
Tanx. This runs without error but does not find any results!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-20-2016
07:31 AM
Do you get any data back when you remove the last segment (timechart)?
Get Updates on the Splunk Community!
Splunk APM: New Product Features + Community Office Hours Recap!
Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...
Index This | Forward, I’m heavy; backward, I’m not. What am I?
April 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
A Guide To Cloud Migration Success
As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...
