Solved: Re: How to modify my search in order to create sta...

Kumar1980 · ‎10-03-2016

HI ,

I am new to using Splunk Enterprise and not so familiar with the search strings and other stuff 🙂

here is my requirement :

search the logs for errors/exceptions/timeout/etc... and display it as a stacked bar view with color code

example: error - Red exception - green etc...

Y axis should have the count and X - axis should have source type

the resulting bar representation should show error/exception etc .. in stacked form with different colors, once we click on colors it should take us to the corresponding logs with the specific error/exception etc ...

Here is the search string :

index=**  host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | TOP sourcetype

please suggest as this is something important for my ongoing project

sundareshr · ‎10-03-2016

Try this

index=**  host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | chart count over host by err usenull=f

View solution in original post

sundareshr · ‎10-03-2016

Try this

index=**  host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | chart count over host by err usenull=f

Kumar1980 · ‎10-09-2016

Thanks Sundaresh,

This is getting me results but they are partial only

i can see a stacked bar with two colors, one of which is errors/exceptions (Bluish color) and the other is an orange/yellowish color which says null and clicking on it leads no where

Y axis should show the count and the stacked bar should have errors/exceptions/timeout etc... stacked with different colors

Unable to attach an image which represents this idea , which would have given a clear picture

Please suggest the changes to complete this 🙂 Thanks for your help

Praneeth

sundareshr · ‎10-09-2016

What do you get when you run this search. Also, can you share sample event with each of the error code (ERROR, exception, timeout).

index=**  host=* source=logs AND ("ERROR" OR "exception" OR "timeout") | rex "(?<err>ERROR|exception|timeout)" | table _time host err

Kumar1980 · ‎10-09-2016

HI Sundaresh,

I did get good results now with the first string that you have provided and thanks a lot (might be some mistake at my end)

Just a last concern ... as mentioned today i see lot of NULL in the bars .. clicking it leads nowhere, is it possible to remove it or hide it from the search results

Praneeth

sundareshr · ‎10-09-2016

Add usenull=f to the chart command. I've updated the original answer

Kumar1980 · ‎10-09-2016

Perfect 🙂

Will get back to you if i have any questions on my upcoming project

sundareshr · ‎10-09-2016

Please accept this answer to close it out

How to modify my search in order to create stacked bar chart that shows errors, exceptions, or timeouts?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...