topic Re: Select my extracted fields for correlation in timechart in Splunk Search

Select my extracted fields for correlation in timechart

sbnoobbb — Mon, 28 Sep 2020 14:20:20 GMT

I am using a search command of sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(type) as Incident count(current_summary) as Rain.

I had current_summary and type, which I needed only the Rain from current_summary and Accident from type in both sources using the search query. Anyway I can do it ?

Re: Select my extracted fields for correlation in timechart

Ayn — Mon, 15 Jul 2013 08:12:04 GMT

xmlkv is used for performing field extraction on certain XML formatted data. Not sure how it would be relevant in your scenario.

Re: Select my extracted fields for correlation in timechart

sbnoobbb — Mon, 15 Jul 2013 08:40:02 GMT

I have edited the question. Check it out 😃

Re: Select my extracted fields for correlation in timechart

Ayn — Mon, 15 Jul 2013 09:09:49 GMT

OK, but I have no idea what your desired result is (same issue as in your partner's more or less identical question). What exactly are you trying to do? What is the desired end result?

Re: Select my extracted fields for correlation in timechart

sbnoobbb — Mon, 15 Jul 2013 09:56:04 GMT

I wanted to do a search for Rain and Accident on a timechart showing how rain affects more accidents (correlation of weather and traffic accidents). However the Accident is in Type and Rain is in current_summary. I need to do a count for number of times it rains on a specific location then count for accidents on the same location then plot it on a timechart.

Re: Select my extracted fields for correlation in timechart

Ayn — Mon, 15 Jul 2013 10:16:03 GMT

So the desired result would be a graph with two lines - one for occurrences of rain and one for occurrences of accidents?

Re: Select my extracted fields for correlation in timechart

kailun92 — Mon, 15 Jul 2013 11:22:50 GMT

Yes ! Against the same location !

Re: Select my extracted fields for correlation in timechart

Ayn — Mon, 15 Jul 2013 12:33:03 GMT

Did you read the timechart docs? You can specify which field values you are interested in using eval statements. So something like this should work:

sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(eval(type=="Accident")) as Incident, count(eval(current_summary=="Rain")) as Rain

Re: Select my extracted fields for correlation in timechart

kailun92 — Mon, 15 Jul 2013 12:39:17 GMT

What if i got another field called location and I need the location of "PIE" for example? Only display result for PIE, how can i do that ? Put at by location=PIE ?

Re: Select my extracted fields for correlation in timechart

kailun92 — Mon, 15 Jul 2013 12:42:01 GMT

Consider that both sourcetype have these location fields extracted.

Re: Select my extracted fields for correlation in timechart

Ayn — Mon, 15 Jul 2013 12:49:21 GMT

Uh...well yes. That's kind of basic search filtering functionality. If you're unsure about those kind of things I advise you to take the Splunk tutorial.

Re: Select my extracted fields for correlation in timechart

kailun92 — Mon, 15 Jul 2013 12:57:53 GMT

Kk, i am just double checking 😃 I am only not sure about the two sourcetype. Thanks ! Eval is what i needed 😃