Splunk Search

How do I only show some fields values in my chart?

guillecasco
Path Finder

I have a search like this:

index=pupi (some rex extractions) |chart count by customer_id, name_EVENTS  

which gives me something like:

customer_iD     AP_ERROR  |  AP_OK  |  DOWN_ERROR 
John            50           70        78
Bill thomas     45           25        38
.
.

Thing is that Customer ID field has like 100 different values. I just want a table to show only 6 of them (not with TOP, not arbitrarily) 6 names that I need to choose and show. I tried to put those names in the search with OR "john" OR "Bill" OR "name", but it brings other logs that I don't want. Is this possible to do with eval? something like IF value is "John" show in chart if it is "the ones I want to show" ,show it, else don't show it?

Tags (3)
0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

You need to specify the field name vs doing full text search across all data with the name.

... (customer_id="john" OR customer_id="Bill" OR customer_id="name") ...

View solution in original post

0 Karma

splunkton
Path Finder

Try this

index=pupi (some rex extractions)|eval wanted=case(Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,1=1,"notok"|search wanted="OK" |chart count by customer_id, name_EVENTS

0 Karma

jkat54
SplunkTrust
SplunkTrust

You need to specify the field name vs doing full text search across all data with the name.

... (customer_id="john" OR customer_id="Bill" OR customer_id="name") ...

0 Karma

guillecasco
Path Finder

I did that but it brings me data that i don´t want. Evidently the name i want, are in other kinds of logs, that´s why i´m trying to do it with eval (i don´t know which other way if not)

0 Karma

jkat54
SplunkTrust
SplunkTrust

Yeah you can do that with case statement like this:

...| eval AP_ERROR=case(customer_id==john AND otherfield==whatever,AP_ERROR,customer_id==bob AND otherfield==something,AP_ERROR)

What this will do is if the customer_id is john and the otherfield is whatever, AP_ERROR will equal whatever AP_ERROR is in that event, ... and if customer_id is bob and otherfield is something, it will also be whatever AP_ERROR is in that event ... otherwise AP_ERROR will be null. Then when you start adding all these events up, the null values will not count as 0 or anything at all.

case([condition(s)1],"[value if condition1=true]",[condition(s)2],"[value if condition2=true]") ... so on

http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/CommonEvalFunctions

if you want "[value if condition=true]" to be a field's value, just remove the double quotes so that its like this:

case([condition(s)1],fieldname,[condition(s)2],fieldname) ... so on

I hope all that helps

guillecasco
Path Finder

great thank you my friend

0 Karma

jkat54
SplunkTrust
SplunkTrust

You're very welcome!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...