How can I use transaction as a boolean to create a...

bdondlinger · ‎03-07-2017

I'd like to create a visualization showing the connected state of a hand full of clients.

We log connected state as "ClientID=nnnn - Connected" ... "ClientID=nnnn - Unreachable"

My search is as follows

 index=blah "Connected"  OR "Unreachable" | transaction ClientID startswith="Connected" endswith="Unreachable" | eval durationstr = tostring(duration,"duration") | table ClientID, durationstr, _time

how can I use transactions as a boolean to create a nice visualization showing client connectivity in a timechart?

cmerriman · ‎05-22-2017

If I'm understanding you, you'd like any ClientID that has "Connected" to be equal to 1 (for instance) and "Unreachable" to be equal to 0?
You could try something like:

  index=blah "Connected"  OR "Unreachable" | transaction ClientID startswith="Connected" endswith="Unreachable" | eval durationstr = tostring(duration,"duration")|eval ID=if(like(ClientID,"%Connected"),1,0)| table ClientID, durationstr, _time

How can I use transaction as a boolean to create a visualization in a timechart?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation