Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to best combine 2 eval searches and use timechart?

tkwaller
Builder
‎10-07-2016 07:53 AM

I know this is fairly simple question. I am trying to do a couple evals on userAgent fields, as I am trying not to use the app for it. I am also trying to avoid extra actions so I was just using search and evals to accomplish this. the problem is that I cannot get it to work with timechart as I am trying to timechart by 2 fields.

My basic evals are using if and match:

| eval browser_type = if(match(userAgent,"Firefox"),"Firefox", if(match(userAgent, "Safari"),"Safari", if(match(userAgent, "Macintosh"),"MAC", "OTHER"))) 
eval os_vendor = if(match(userAgent,"Windows"),"Windows", if(match(userAgent, "X11"),"Linux", if(match(userAgent, "Macintosh"),"MAC", "OTHER")))

and then timechart them

timechart count span=1d BY browser_type os_vendor

Is there a better way to combine the 2 evals to be able to achieve this with timechart?
Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-07-2016 08:01 AM

Try with case instead of if

... | eval browser_type = case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval os_vendor = case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by browser_type os_vendor

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎10-07-2016 08:26 AM

Keep in mind that a timechart accept only one clause by.

timechart count span=1d BY browser_type os_vendor

having both "browser_type" and "os_vendor" is too much.

You can prefer to create a merged field with to keep displaying, and raise the limit of numbers of series to display (default is 10)
example : 

 | eval browser_os=browser_type."-".os_vendor limit=20
 |     timechart count span=1d BY browser_os
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-07-2016 08:16 AM

Try like this (combining browser_type and os_vendor as one field as timechart doesn't support two fields in by clause

 ... | eval groupbyfield= case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval groupbyfield= groupbyfield.":".case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by groupbyfield
0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-07-2016 08:01 AM

Try with case instead of if

... | eval browser_type = case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval os_vendor = case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by browser_type os_vendor
0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎10-17-2016 07:31 AM

Yes this worked, case definitely worked here, thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2016 07:59 AM

Hi tkwaller
If you share an example of your log, maybe it's possible to extract fields using regexes at search time.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...