Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I combine two fields so that the labeling in one of the fields show up as one in the timechart visualization view?

pcnca
New Member
‎07-25-2019 05:44 AM

How can I combine two fields so that the labeling in the of the fields show up as one in the timechart visualization view?

i.e. from this searched Event, trying to combine “ hostname & port” , so that in the timechart it shows something like this ny9710c02_ fc2/23, currently I’ve been only able to get either one of these fields to display.

hostname = ny9710c02

port= fc2/23

" TXWait " source="SAN-45147" NOT *FALLING*| timechart count by hostname limit=10 

Time    Event
    7/23/19
3:01:19.778 PM  <43>2019-07-23T15:01:19.778405+00:00 ny9710c02.com 1.1.1.4 : 2019 Jul 23 11:01:19 EDT: %PMON-SLOT2-3-RISING_THRESHOLD_REACHED: TXWait has reached the rising threshold (port=fc2/23 [0x1096000], value=40) .
0 Karma
Reply

vnravikumar
Champion
‎07-25-2019 09:07 AM

Hi

Try like

|eval hostname_port = hostname."_".port| timechart count by hostname_port limit=10
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...