Splunk Search

How do I only show some fields values in my chart?

Path Finder

I have a search like this:

index=pupi (some rex extractions) |chart count by customer_id, name_EVENTS  

which gives me something like:

customer_iD     AP_ERROR  |  AP_OK  |  DOWN_ERROR 
John            50           70        78
Bill thomas     45           25        38
.
.

Thing is that Customer ID field has like 100 different values. I just want a table to show only 6 of them (not with TOP, not arbitrarily) 6 names that I need to choose and show. I tried to put those names in the search with OR "john" OR "Bill" OR "name", but it brings other logs that I don't want. Is this possible to do with eval? something like IF value is "John" show in chart if it is "the ones I want to show" ,show it, else don't show it?

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

You need to specify the field name vs doing full text search across all data with the name.

... (customerid="john" OR customerid="Bill" OR customer_id="name") ...

View solution in original post

0 Karma

Path Finder

Try this

index=pupi (some rex extractions)|eval wanted=case(Customeid=JOHN,"OK" ,Customeid=JOHN,"OK" ,Customeid=JOHN,"OK" ,Customeid=JOHN,"OK" ,Customeid=JOHN,"OK" ,Customeid=JOHN,"OK" ,1=1,"notok"|search wanted="OK" |chart count by customerid, nameEVENTS

0 Karma

SplunkTrust
SplunkTrust

You need to specify the field name vs doing full text search across all data with the name.

... (customerid="john" OR customerid="Bill" OR customer_id="name") ...

View solution in original post

0 Karma

Path Finder

I did that but it brings me data that i don´t want. Evidently the name i want, are in other kinds of logs, that´s why i´m trying to do it with eval (i don´t know which other way if not)

0 Karma

SplunkTrust
SplunkTrust

Yeah you can do that with case statement like this:

...| eval AP_ERROR=case(customer_id==john AND otherfield==whatever,AP_ERROR,customer_id==bob AND otherfield==something,AP_ERROR)

What this will do is if the customerid is john and the otherfield is whatever, APERROR will equal whatever APERROR is in that event, ... and if customerid is bob and otherfield is something, it will also be whatever APERROR is in that event ... otherwise APERROR will be null. Then when you start adding all these events up, the null values will not count as 0 or anything at all.

case([condition(s)1],"[value if condition1=true]",[condition(s)2],"[value if condition2=true]") ... so on

http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/CommonEvalFunctions

if you want "[value if condition=true]" to be a field's value, just remove the double quotes so that its like this:

case([condition(s)1],fieldname,[condition(s)2],fieldname) ... so on

I hope all that helps

Path Finder

great thank you my friend

0 Karma

SplunkTrust
SplunkTrust

You're very welcome!

0 Karma