Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare a search and overlay in two graphs using 2 hosts (host1 and 2); two sourcetypes (sourcetype1 and 2); and three strings "string1", "string2", and "string3" in a given date, say July 27, 2017 from 12:00:01am to 11:58:00 pm?

qtorque95
Explorer
‎07-28-2017 06:52 PM

I tried the following generic example. Note host1 and host2 correspond to sourcetype1 and sourcetype2, accordingly. Thank you for your support.

index=_internal sourcetype="sourcetype1" OR sourcetype="sourcetype2" host="host1" OR host="host2"
earliest=07/28/2017:0:0:0 latest=07/27/2017:23:0:0 | timechart span=1d |
append [search index=_internal sourcetype="sourcetype1" OR sourcetype="sourcetype2" host="host1" OR host="host2"
"string1" OR "string2" OR "string3" ]

Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-29-2017 01:17 PM

I'm not sure I understand all of the question, but I think that for what you want you shouldn't need append. Splunk can do arbitrarily complex splitting in a variety of ways. Here's one method.

First, a run-anywhere example that you can use to see this way of doing it in action.

index=_internal earliest="07/01/2017:00:00:00" latest="07/31/2017:23:00:00" (component="SavedSplunker" OR component="ArchiveProcessor" OR component="WatchedFile")
| eval Splitter=case((component="SavedSplunker"), "ItemA", (component="ArchiveProcessor" OR component="WatchedFile"), "ItemB")
| timechart count by Splitter

In this example, I search a longer time period (which isn't important - just so I have events on my tiny little home system) for things in the internal index. I'm specifically searching ONLY for those three component types, but I honestly only do that for efficiency. I don't want the whole thing drowned out by my 700,000 "component=metrics", so I pick three that I will use as an example later that are all three about the same size (a hundred or two on my system over the past month)

The second line, the eval, uses case to build a field called Splitter. Splitter will be "ItemA" if component is "SavedSplunker", and Splitter will be "ItemB" if the component is either ArchiverProcessor or WatchedFile. It doesn't really matter that I used those, you can put pretty arbitrary stuff in there.

The last line then does a timechart by my newly created field.

So if you want to try something more akin to your example... Well, maybe this will be more interesting?

index=_internal sourcetype="sourcetype1" OR sourcetype="sourcetype2" host="host1" OR host="host2"
earliest=07/27/2017:0:0:0 latest=07/28/2017:23:0:0 
| eval IsSpecial=if(match( _raw, "string1") OR match(_raw, "string2"),"Yes","No")
| timechart IsSpecial

That, like before, is filtering to the "common" filtered criteria - namely host1, host2 of the various sourcetypes you want.

The second line is creating a new field IsSpecial, which is "Yes" if either the word "string1" or the word "string2" is found in _raw (which is the whole event). It is set to No, otherwise.

Then we timechart on that.

Give that a try, see if it makes sense.

If those aren't even close to what you want, shoot back a reply and we can try one of the other ways to do these things.

Happy Splunking,
Rich

0 Karma
Reply

qtorque95
Explorer
‎07-30-2017 04:03 PM

Thank you, @rich7177. Ran last suggestion; however, got this:
"Error in 'timechart' command: The specifier 'IsSpecial' is invalid. It must be in form (). For example: max(size )."

What I'm trying to achieve is to compare log files and search for two (or 3) strings "timeline" and "current position" from July 27 from 12:01 AM to July 28 11:59 PM. The, overlay the results in two graphs as follows:

index=_internal sourcetype="a1_bridge_log" OR sourcetype="b1_bridge_log" host="a1" OR host="b1"
 earliest=07/27/2017:0:01:0 latest=07/28/2017:23:59:0 
 | eval IsSpecial=if(match( _raw, "timeline") OR match(_raw, "currrentposition"),"Yes","No")
 | timechart IsSpecial

where,
index =_internal is the default Splunk light index I use for both hosts, a1, b1.
in my environment, a1_bridge_log is the sourcetype for corresponding logs in host = a1
On the other hand, b1_bridge_log is the sourcetype for corresponding logs in host b1
"timeline" and "currentposition" are character strings found in lines of such log files. Thank you for your support.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-31-2017 04:49 AM

My bad -

As per my original example, try 

...
| timechart count by IsSpecial

Silly me, but now you know why I include "how I got to where I got" as a precursor for "how you can get to where you need to be". It's so I can fix my own typos easier. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...