topic Re: How to write Timechart for search with binary value result? in Splunk Search

How to write Timechart for search with binary value result?

mrf23 — Tue, 28 Feb 2023 22:07:42 GMT

Hi I have a field, mode, which returns either returns data or is None (mode_true, mode_false). I'm trying to search and aggregate the sum [over time] of both outcomes over separately then plot both on a timechart (as a stacked bar or similar, where the data is separated categorically). I've tried a couple query types below with no luck

1.)

index=mode_qa module=mode_producer_logs "telemetry_event" | extract pairdelim="\"{,}" kvdelim=":" | multisearch [search mode!=None | eval type="mode_true"] [search mode=None | eval type="mode_false"] | timechart span=60m count(mode) by type

2.)

index=mode_qa module=mode_producer_logs "telemetry event" | extract pairdelim="\"{,}" kvdelim=":" | eval modeBool = if(mode!=None, "mode_true", "mode_false") | timechart count by modeBool span=30m

Both display a visual with only one data source (not binary, e.g. mode_true vs mode_false). Any ideas? New to Splunk

Re: How to write Timechart for search with binary value result?

richgalloway — Tue, 28 Feb 2023 22:14:04 GMT

Please explain what you mean by "no luck". How do the results returned not meet expectations?

The second query looks like it should work, but perhaps there's an error we can see without knowing the data.

You can debug the query by running it one pipe at a time, verifying the results are expected before adding the next pipe.

Re: How to write Timechart for search with binary value result?

mrf23 — Tue, 28 Feb 2023 22:21:45 GMT

Hi @richgalloway Right, I put the resulting behavior at the bottom of my post -- "Both display a visual with only one data source (not binary, e.g. mode_true vs mode_false). "

I'm trying to display the binary outcomes as a categorical visual like a stacked bar, but the only result I see is a single bar for a given time point.

I believe the problem is with the eval-if statement - any idea on correct syntax for expected behavior?

Re: How to write Timechart for search with binary value result?

mrf23 — Tue, 28 Feb 2023 22:23:04 GMT

eval-if in #2. Not sure about the multisearch

Re: How to write Timechart for search with binary value result?

bowesmana — Tue, 28 Feb 2023 22:28:31 GMT

When you do

| eval modeBool = if(mode!=None, "mode_true", "mode_false")

You are comparing field mode to the field None, which I guess does not exist, so ALL your events will be mode_false. Quote the "None"

index=mode_qa module=mode_producer_logs "telemetry event" | extract pairdelim="\"{,}" kvdelim=":" | eval modeBool = if(mode!="None", "mode_true", "mode_false") | timechart count by modeBool span=30m