https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238964#M71009 <P>I know this is fairly simple question. I am trying to do a couple evals on userAgent fields, as I am trying not to use the app for it. I am also trying to avoid extra actions so I was just using search and evals to accomplish this. the problem is that I cannot get it to work with timechart as I am trying to timechart by 2 fields.</P> <P>My basic evals are using if and match:</P> <PRE><CODE>| eval browser_type = if(match(userAgent,"Firefox"),"Firefox", if(match(userAgent, "Safari"),"Safari", if(match(userAgent, "Macintosh"),"MAC", "OTHER"))) eval os_vendor = if(match(userAgent,"Windows"),"Windows", if(match(userAgent, "X11"),"Linux", if(match(userAgent, "Macintosh"),"MAC", "OTHER"))) </CODE></PRE> <P>and then timechart them</P> <PRE><CODE>timechart count span=1d BY browser_type os_vendor </CODE></PRE> <P>Is there a better way to combine the 2 evals to be able to achieve this with timechart?<BR /> Thanks!</P> Fri, 07 Oct 2016 14:53:55 GMT tkwaller 2016-10-07T14:53:55Z https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238964#M71009 <P>I know this is fairly simple question. I am trying to do a couple evals on userAgent fields, as I am trying not to use the app for it. I am also trying to avoid extra actions so I was just using search and evals to accomplish this. the problem is that I cannot get it to work with timechart as I am trying to timechart by 2 fields.</P> <P>My basic evals are using if and match:</P> <PRE><CODE>| eval browser_type = if(match(userAgent,"Firefox"),"Firefox", if(match(userAgent, "Safari"),"Safari", if(match(userAgent, "Macintosh"),"MAC", "OTHER"))) eval os_vendor = if(match(userAgent,"Windows"),"Windows", if(match(userAgent, "X11"),"Linux", if(match(userAgent, "Macintosh"),"MAC", "OTHER"))) </CODE></PRE> <P>and then timechart them</P> <PRE><CODE>timechart count span=1d BY browser_type os_vendor </CODE></PRE> <P>Is there a better way to combine the 2 evals to be able to achieve this with timechart?<BR /> Thanks!</P> Fri, 07 Oct 2016 14:53:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238964#M71009 tkwaller 2016-10-07T14:53:55Z https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238965#M71010 <P>Hi tkwaller<BR /> If you share an example of your log, maybe it's possible to extract fields using regexes at search time.<BR /> Bye.<BR /> Giuseppe</P> Fri, 07 Oct 2016 14:59:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238965#M71010 gcusello 2016-10-07T14:59:09Z https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238966#M71011 <P>Try with <CODE>case</CODE> instead of <CODE>if</CODE></P> <PRE><CODE>... | eval browser_type = case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval os_vendor = case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by browser_type os_vendor </CODE></PRE> Fri, 07 Oct 2016 15:01:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238966#M71011 sundareshr 2016-10-07T15:01:09Z https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238967#M71012 <P>Try like this (combining browser_type and os_vendor as one field as timechart doesn't support two fields in by clause</P> <PRE><CODE> ... | eval groupbyfield= case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval groupbyfield= groupbyfield.":".case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by groupbyfield </CODE></PRE> Tue, 29 Sep 2020 11:19:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238967#M71012 somesoni2 2020-09-29T11:19:47Z https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238968#M71013 <P>Keep in mind that a timechart accept only one clause by.</P> <PRE><CODE>timechart count span=1d BY browser_type os_vendor </CODE></PRE> <P>having both "browser_type" and "os_vendor" is too much.</P> <P>You can prefer to create a merged field with to keep displaying, and raise the limit of numbers of series to display (default is 10)<BR /> example : </P> <PRE><CODE> | eval browser_os=browser_type."-".os_vendor limit=20 | timechart count span=1d BY browser_os </CODE></PRE> Tue, 29 Sep 2020 11:19:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238968#M71013 yannK 2020-09-29T11:19:50Z https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238969#M71014 <P>Yes this worked, case definitely worked here, thanks!</P> Mon, 17 Oct 2016 14:31:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-best-combine-2-eval-searches-and-use-timechart/m-p/238969#M71014 tkwaller 2016-10-17T14:31:09Z