I have a search like this:
index=pupi (some rex extractions) |chart count by customer_id, name_EVENTS
which gives me something like:
customer_iD AP_ERROR | AP_OK | DOWN_ERROR
John 50 70 78
Bill thomas 45 25 38
.
.
Thing is that Customer ID field has like 100 different values. I just want a table to show only 6 of them (not with TOP, not arbitrarily) 6 names that I need to choose and show. I tried to put those names in the search with OR "john" OR "Bill" OR "name", but it brings other logs that I don't want. Is this possible to do with eval? something like IF value is "John" show in chart if it is "the ones I want to show" ,show it, else don't show it?
You need to specify the field name vs doing full text search across all data with the name.
... (customer_id="john" OR customer_id="Bill" OR customer_id="name") ...
Try this
index=pupi (some rex extractions)|eval wanted=case(Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,1=1,"notok"|search wanted="OK" |chart count by customer_id, name_EVENTS
You need to specify the field name vs doing full text search across all data with the name.
... (customer_id="john" OR customer_id="Bill" OR customer_id="name") ...
I did that but it brings me data that i don´t want. Evidently the name i want, are in other kinds of logs, that´s why i´m trying to do it with eval (i don´t know which other way if not)
Yeah you can do that with case statement like this:
...| eval AP_ERROR=case(customer_id==john AND otherfield==whatever,AP_ERROR,customer_id==bob AND otherfield==something,AP_ERROR)
What this will do is if the customer_id is john and the otherfield is whatever, AP_ERROR will equal whatever AP_ERROR is in that event, ... and if customer_id is bob and otherfield is something, it will also be whatever AP_ERROR is in that event ... otherwise AP_ERROR will be null. Then when you start adding all these events up, the null values will not count as 0 or anything at all.
case([condition(s)1],"[value if condition1=true]",[condition(s)2],"[value if condition2=true]") ... so on
http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/CommonEvalFunctions
if you want "[value if condition=true]" to be a field's value, just remove the double quotes so that its like this:
case([condition(s)1],fieldname,[condition(s)2],fieldname) ... so on
I hope all that helps
great thank you my friend
You're very welcome!