topic Re: How do I only show some fields values in my chart? in Splunk Search

How do I only show some fields values in my chart?

guillecasco — Thu, 26 May 2016 19:19:22 GMT

I have a search like this:

index=pupi (some rex extractions) |chart count by customer_id, name_EVENTS

which gives me something like:

customer_iD     AP_ERROR  |  AP_OK  |  DOWN_ERROR 
John            50           70        78
Bill thomas     45           25        38
.
.

Thing is that Customer ID field has like 100 different values. I just want a table to show only 6 of them (not with TOP, not arbitrarily) 6 names that I need to choose and show. I tried to put those names in the search with OR "john" OR "Bill" OR "name", but it brings other logs that I don't want. Is this possible to do with eval? something like IF value is "John" show in chart if it is "the ones I want to show" ,show it, else don't show it?

Re: How do I only show some fields values in my chart?

jkat54 — Tue, 29 Sep 2020 09:48:54 GMT

You need to specify the field name vs doing full text search across all data with the name.

... (customer_id="john" OR customer_id="Bill" OR customer_id="name") ...

Re: How do I only show some fields values in my chart?

splunkton — Tue, 29 Sep 2020 09:47:49 GMT

Try this

index=pupi (some rex extractions)|eval wanted=case(Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,1=1,"notok"|search wanted="OK" |chart count by customer_id, name_EVENTS

Re: How do I only show some fields values in my chart?

guillecasco — Thu, 26 May 2016 19:45:43 GMT

I did that but it brings me data that i don´t want. Evidently the name i want, are in other kinds of logs, that´s why i´m trying to do it with eval (i don´t know which other way if not)

Re: How do I only show some fields values in my chart?

jkat54 — Tue, 29 Sep 2020 09:49:02 GMT

Yeah you can do that with case statement like this:

...| eval AP_ERROR=case(customer_id==john AND otherfield==whatever,AP_ERROR,customer_id==bob AND otherfield==something,AP_ERROR)

What this will do is if the customer_id is john and the otherfield is whatever, AP_ERROR will equal whatever AP_ERROR is in that event, ... and if customer_id is bob and otherfield is something, it will also be whatever AP_ERROR is in that event ... otherwise AP_ERROR will be null. Then when you start adding all these events up, the null values will not count as 0 or anything at all.

case([condition(s)1],"[value if condition1=true]",[condition(s)2],"[value if condition2=true]") ... so on

http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/CommonEvalFunctions

if you want "[value if condition=true]" to be a field's value, just remove the double quotes so that its like this:

case([condition(s)1],fieldname,[condition(s)2],fieldname) ... so on

I hope all that helps

Re: How do I only show some fields values in my chart?

guillecasco — Fri, 27 May 2016 18:04:17 GMT

great thank you my friend

Re: How do I only show some fields values in my chart?

jkat54 — Fri, 27 May 2016 23:03:29 GMT

You're very welcome!