Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I only show some fields values in my chart?

guillecasco
Path Finder
‎05-26-2016 12:19 PM

I have a search like this:

index=pupi (some rex extractions) |chart count by customer_id, name_EVENTS

which gives me something like:

customer_iD     AP_ERROR  |  AP_OK  |  DOWN_ERROR 
John            50           70        78
Bill thomas     45           25        38
.
.

Thing is that Customer ID field has like 100 different values. I just want a table to show only 6 of them (not with TOP, not arbitrarily) 6 names that I need to choose and show. I tried to put those names in the search with OR "john" OR "Bill" OR "name", but it brings other logs that I don't want. Is this possible to do with eval? something like IF value is "John" show in chart if it is "the ones I want to show" ,show it, else don't show it?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-26-2016 12:22 PM

You need to specify the field name vs doing full text search across all data with the name.

... (customer_id="john" OR customer_id="Bill" OR customer_id="name") ...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

splunkton
Path Finder
‎05-26-2016 12:28 PM

Try this

index=pupi (some rex extractions)|eval wanted=case(Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,1=1,"notok"|search wanted="OK" |chart count by customer_id, name_EVENTS

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-26-2016 12:22 PM

You need to specify the field name vs doing full text search across all data with the name.

... (customer_id="john" OR customer_id="Bill" OR customer_id="name") ...

0 Karma
Reply
Solved! Jump to solution

guillecasco
Path Finder
‎05-26-2016 12:45 PM

I did that but it brings me data that i don´t want. Evidently the name i want, are in other kinds of logs, that´s why i´m trying to do it with eval (i don´t know which other way if not)

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-26-2016 01:09 PM

Yeah you can do that with case statement like this:

...| eval AP_ERROR=case(customer_id==john AND otherfield==whatever,AP_ERROR,customer_id==bob AND otherfield==something,AP_ERROR)

What this will do is if the customer_id is john and the otherfield is whatever, AP_ERROR will equal whatever AP_ERROR is in that event, ... and if customer_id is bob and otherfield is something, it will also be whatever AP_ERROR is in that event ... otherwise AP_ERROR will be null. Then when you start adding all these events up, the null values will not count as 0 or anything at all.

case([condition(s)1],"[value if condition1=true]",[condition(s)2],"[value if condition2=true]") ... so on

http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/CommonEvalFunctions

if you want "[value if condition=true]" to be a field's value, just remove the double quotes so that its like this:

case([condition(s)1],fieldname,[condition(s)2],fieldname) ... so on

I hope all that helps

Reply
Solved! Jump to solution

guillecasco
Path Finder
‎05-27-2016 11:04 AM

great thank you my friend

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-27-2016 04:03 PM

You're very welcome!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...