Conditional timechart condiftion

gjhaaland · ‎11-09-2023

Hi,

Not sure how to fix it. Hope someone can give me a hint. The code looks like

index=asa host=1.2.3.4 src_sg_info=*

| timchart span=10m dc(src_sg_info) by src_sg_info

| rename user1 as "David E"

This splunk code will give a list with active/logged on VPN user. So far so good. So my question is following: howto include empty src_sg_info into the same timechart and mark it as "No active VPN user"

gjhaaland · ‎11-09-2023

Thanks, is it possible to

if field src_sg_info does not exist then "No active VPN user" in the same timechart.

FelixLeh · ‎11-09-2023

index=asa host=1.2.3.4 
| fillnull src_sg_info value="No active VPN user"
| timechart span=10m dc(src_sg_info) by src_sg_info
| rename user1 as "David E"

gjhaaland · ‎11-13-2023

Thanks,

Does not work. Also know following. If src_sg_info does not exist then we know that it's no active VPN user. Does not know how to test src_sg_info existance. Thnaks again.

Rgds

Geir

Conditional timechart condiftion

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation

Conditional timechart condiftion

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence