Solved: Chart sum as well as the source numbers

MattQ · ‎04-11-2013

I would like to return a chart that has
LOGIN SUCCESS
LOGIN FAILURE
and TOTAL LOGIN ATTEMPTS.

In my logs I return raw text of LOGIN SUCCESS and LOGIN FAILURE.

I can search and return everything with "LOGIN" and chart that over time. How do I then subsearch for the raw text in those results for "SUCCESS" and separately "FAILURE" and return the count of all three in a timechart. (the top line - all login, should equal the total of the SUCCESS and FAILURE).

I am looking to produce this for trending to spot anomalies.

Essentially
... AND ("LOGIN SUCCESS" OR "LOGIN FAILURE") |timechart count

but how do I get this to return as two separate count lines?

Ayn · ‎04-11-2013

Create a field extraction for the login action (see http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime ) then split your timechart by this field.

... | timechart count by login_action

(or whatever you choose to call your field)

You can then choose to stack your chart so that you get a total count in the chart that way.

View solution in original post

Ayn · ‎04-11-2013

Create a field extraction for the login action (see http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime ) then split your timechart by this field.

... | timechart count by login_action

(or whatever you choose to call your field)

You can then choose to stack your chart so that you get a total count in the chart that way.

Chart sum as well as the source numbers

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...