Conditional timechart condiftion

gjhaaland · ‎11-09-2023

Hi,

Not sure how to fix it. Hope someone can give me a hint. The code looks like

index=asa host=1.2.3.4 src_sg_info=*

| timchart span=10m dc(src_sg_info) by src_sg_info

| rename user1 as "David E"

This splunk code will give a list with active/logged on VPN user. So far so good. So my question is following: howto include empty src_sg_info into the same timechart and mark it as "No active VPN user"

gjhaaland · ‎11-09-2023

Thanks, is it possible to

if field src_sg_info does not exist then "No active VPN user" in the same timechart.

FelixLeh · ‎11-09-2023

index=asa host=1.2.3.4 
| fillnull src_sg_info value="No active VPN user"
| timechart span=10m dc(src_sg_info) by src_sg_info
| rename user1 as "David E"

gjhaaland · ‎11-13-2023

Thanks,

Does not work. Also know following. If src_sg_info does not exist then we know that it's no active VPN user. Does not know how to test src_sg_info existance. Thnaks again.

Rgds

Geir

Conditional timechart condiftion

timechart

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Conditional timechart condiftion

timechart

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...