topic help to values many fields in timechart command in Splunk Search

help to values many fields in timechart command

jip31 — Tue, 18 Feb 2020 09:36:20 GMT

i use the search below for displaying a timechart
as you can see, the timechart is sorted by host

`toto` 
    earliest=-5d latest=now 
| lookup test.csv HOSTNAME as host output SITE MODEL 
| timechart avg(BootTime) as "Boot time" by host limit=10 useother=false

but I also need to values the fields SITE and MODEL in order to have for an host, the avg(BootTime), the SITE and the MODEL
Something like :

    | timechart avg(BootTime) as "Boot time" by host SITE MODEL

How to do for values other fields with a timechart command please???

Re: help to values many fields in timechart command

to4kawa — Tue, 18 Feb 2020 10:00:52 GMT

....
|eval tmp=host.":".SITE.":".MODEL
| timechart avg(BootTime) as "Boot time" by tmp
| rex field=tmp "(?<host>\S+?):(?<SITE>\S+?):(?<MODEL>\S+)"
| fields - tmp

Re: help to values many fields in timechart command

jip31 — Tue, 18 Feb 2020 12:21:36 GMT

It doesnt works
if I am doing | search SITE=* OR MODEL=* I have no results
And i also need to display the timechart by host
Actually instead host I have "NULL"

Re: help to values many fields in timechart command

to4kawa — Tue, 18 Feb 2020 12:38:39 GMT

@jip31

Of course you do the query after the lookup, right?

it doesn't works
You say this and you know the cause and what to do?

Re: help to values many fields in timechart command

jip31 — Wed, 19 Feb 2020 06:50:47 GMT

yes after the lookup
and i dont know why | search SITE=* OR MODEL=* doesnt works

Re: help to values many fields in timechart command

to4kawa — Wed, 19 Feb 2020 08:49:06 GMT

| search SITE=* OR MODEL=* is unnecessary.