Splunk Search

Eval Equals Another Field

cquinney
Communicator

Greetings,

I have a query that ends with a timechart command

| timechart span=1h eval(round(avg(FIELD),0)) as "Response" by source_type

Previously, I created thresholds for my timechart by using eval

| eval Normal = 500
| eval High = 1000

However, as my number of source_types grew, I could no longer utilize the same thresholds. I've created a lookup that contains the necessary thresholds for each specific source_type, and I can see the new field created in the fields column on the left hand side of the screen. However, I'm having trouble adding this new field or setting this new field as its intended threshold delimiter.

So how can create a timechart (which I have to keep/utilize) and incorporate my thresholds from my lookup?

The final output would look similar to this:

_time              Source_Type     Normal          High
3/3/19             ABC               500             1000

Any help is greatly appreciated.

0 Karma

woodcock
Esteemed Legend

Like this:

... | timechart span=1h eval(round(avg(FIELD),0)) AS Response BY Source_Type
| untable _time sourcetype count
| lookup MyThresholdLookup Source_Type
...
0 Karma

cquinney
Communicator

Thank you for suggestion but it didn't give the outcome I need. Do you know of a way to to create a new field based on another field or from the lookup?

| eval Normal=Lookup.csv Normal

0 Karma

woodcock
Esteemed Legend

Let's start over. Show me:
1: A few raw events
2: Your full search (all of it)
3: Your current output
4: The first 2 lines of your Lookup.csv file
5: A mockup of your desired output

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...