The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: search for events that only occur within a time range over a larger time period | Next Topic: 1 entry 2 possibilities, graphing them both.
Posts 1–4 of 4
I am trying to create a report that compares successful vs. unsuccessful sets of actions grouped into a transaction:
host="web*" (uri_path=/path1/* OR uri_path=/path2/* OR uri_path=/path3/*) | transam clientip maxspan=60m | timechart count by searchmatch(uri=/path3/success)
I am trying to chart the transactions that include the "success" uri vs those that did not (and thus failed).
I can get to what I want with 2 separate queries, but I want it all in one report:
host="web*" (uri_path=/path1/* OR uri_path=/path2/* OR uri_path=/path3/*) | transam clientip maxspan=60m | timechart count by events
host="web*" (uri_path=/path1/* OR uri_path=/path2/* OR uri_path=/path3/*) | transam clientip maxspan=60m | search uri_path="/path3/success" | timechart count by events
host="web*" ( uri_path=/path1/* OR uri_path=/path2/* OR uri_path=/path3/* | transam clientip maxspan=60m | timechart count as total ,count(eval(searchmatch"uri_path=/path3/success")) as successes | eval failures=total-successes
alternatively:
host="web*" ( uri_path=/path1/* OR uri_path=/path2/* OR uri_path=/path3/* | transam clientip maxspan=60m | eval category=if(searchmatch("uri_path=/path3/success","success","failure")) | timechart count by category