https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181022#M52179 <P>Which answer are you going to accept now? But, since the problem was the <STRONG>source</STRONG> i think you should accept mine.</P> Wed, 06 May 2015 13:33:41 GMT stephanefotso 2015-05-06T13:33:41Z https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181018#M52175 <P>Im monitoring 2 harddrive usage from a server.</P> <P>This is my query : </P> <P>index="perfmon7days" earliest=-60m sourcetype="WMI:LocalPhysicalDisk_DFSR" OR sourcetype="WMI:LocalPhysicalDisk_STAGING" | eval _custom=if(source=="WMI:LocalPhysicalDisk_DFSR","DFSR","STAGING") | timechart span="5m" max(PercentDiskWriteTime) as "Write" max(PercentDiskReadTime) as "Read" by _custom</P> <P>So, basically, I want to have 4 Lines : Read:DFSR, Read:Staging, Write:DFSR and Write:Staging.</P> <P>With this query, I only have READ Staging and Write Staging since it look like I fall in the "ELSE" everytime.</P> <P>If I use this query, it work :</P> <P>index="perfmon7days" earliest=-60m sourcetype="WMI:LocalPhysicalDisk_DFSR" OR sourcetype="WMI:LocalPhysicalDisk_STAGING" | eval _custom=if(source=="WMI:LocalPhysicalDisk_DFSR","DFSR","STAGING") | timechart span="5m" max(PercentDiskWriteTime) as "Write" max(PercentDiskReadTime) as "Read" by sourcetype</P> <P>but I get : Read:WMI:LocalPhysicalDisk_DFSR, Read:WMI:LocalPhysicalDisk_STAGING, Write:WMI:LocalPhysicalDisk_DFSR and Write:WMI:LocalPhysicalDisk_STAGING.</P> <P>This is not looking good in my timechart legend.</P> <P>Thanks</P> <P>Jean-Frederic</P> Mon, 28 Sep 2020 19:50:05 GMT https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181018#M52175 jeanfrederic 2020-09-28T19:50:05Z https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181019#M52176 <P>index="perfmon7days" earliest=-60m sourcetype="WMI:LocalPhysicalDisk_DFSR" OR sourcetype="WMI:LocalPhysicalDisk_STAGING" | eval _custom=if(source=="WMI:LocalPhysicalDisk_DFSR","DFSR","STAGING") | timechart span="5m" max(PercentDiskWriteTime) as "Write" max(PercentDiskReadTime) as "Read" by sourcetype | rename *WMI:LocalPhysicalDisk_DFSR AS *DFSR | rename *WMI:LocalPhysicalDisk_Staging AS *Staging</P> Mon, 28 Sep 2020 19:50:08 GMT https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181019#M52176 woodcock 2020-09-28T19:50:08Z https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181020#M52177 <P>Hello! Please let me know. Did you have a <STRONG>source</STRONG> named <STRONG>WMI:LocalPhysicalDisk_DFSR</STRONG> in your events? Please take the first query and change your <CODE>if (soure=.......</CODE> with <CODE>if (sourcetype=....</CODE>.and let me know what happen.</P> <P>Thanks!</P> Tue, 05 May 2015 21:39:20 GMT https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181020#M52177 stephanefotso 2015-05-05T21:39:20Z https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181021#M52178 <P>Thanks Stephano and Woodcock, both solution worked... it was in fact my source was "case sensitive"..... so, it was not working since my real source was "WMI:LocalPhysicalDisk_dfsr" <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>Thanks, it's much appreciated !</P> Wed, 06 May 2015 12:16:24 GMT https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181021#M52178 jeanfrederic 2015-05-06T12:16:24Z https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181022#M52179 <P>Which answer are you going to accept now? But, since the problem was the <STRONG>source</STRONG> i think you should accept mine.</P> Wed, 06 May 2015 13:33:41 GMT https://community.splunk.com/t5/Splunk-Search/Customize-sourcetype-display/m-p/181022#M52179 stephanefotso 2015-05-06T13:33:41Z