topic Re: Custom Search in Splunk Enterprise

Custom Search

vishwa — Mon, 19 Feb 2024 20:54:17 GMT

Query:

|tstats count where index=xxx host=host1 sourcetype=newsourcetype by PREFIX(type:) _time |rename type: as Types |timechart span=1d values(count) by Types |eval Total=Model1 +Model2+ Model3+ Model4 |fillnull value=0

OUTPUT:

_time	Model1	Model2	Model3	Model4	Total
2021-04-12	2	0	1	4	0
2021-04-13	0	4	0	0	0
2021-04-14	8	2	10	4	24
2021-04-15	3	0	2	8	0
2021-04-16	1	4	2	2	9

EXPECTED OUTPUT:

_time	Model1	Model2	Model3	Model4	Total
2021-04-12	2	0	1	4	7
2021-04-13	0	4	0	0	4
2021-04-14	8	2	10	4	24
2021-04-15	3	0	2	8	13
2021-04-16	1	4	2	2	9

Re: Custom Search

bowesmana — Mon, 19 Feb 2024 22:16:27 GMT

@vishwa I suspect your fields are not actually coming out as Model1 etc, i.e. the may have some strange characters in there. You can either try to figure out what the Types field values are before you do the timechart by doing something like

to see if there are any odd characters or the len does not come out as 8.

The simples thing to do though is to not care about the names and just add 'addtotals', i.e.

|tstats count where index=xxx host=host1 sourcetype=newsourcetype by PREFIX(type:) _time | rename type: as Types | timechart span=1d values(count) by Types | addtotals

which will add up all the numeric fields and create a new field called Total

Re: Custom Search

vishwa — Tue, 20 Feb 2024 00:08:17 GMT

Hi @bowesmana , Thank you!!!! this query worked

|tstats count where index=xxx host=host1   sourcetype=newsourcetype by PREFIX(type:) _time
| rename type: as Types
| timechart span=1d values(count) by Types
| addtotals

Re: Custom Search

bowesmana — Tue, 20 Feb 2024 01:39:45 GMT

@vishwa re:mvstats - did you know that Splunk natively supports min/max/avg/sum on mvfields.