Solved: How to best combine 2 eval searches and use timech...

tkwaller · ‎10-07-2016

I know this is fairly simple question. I am trying to do a couple evals on userAgent fields, as I am trying not to use the app for it. I am also trying to avoid extra actions so I was just using search and evals to accomplish this. the problem is that I cannot get it to work with timechart as I am trying to timechart by 2 fields.

My basic evals are using if and match:

| eval browser_type = if(match(userAgent,"Firefox"),"Firefox", if(match(userAgent, "Safari"),"Safari", if(match(userAgent, "Macintosh"),"MAC", "OTHER"))) 
eval os_vendor = if(match(userAgent,"Windows"),"Windows", if(match(userAgent, "X11"),"Linux", if(match(userAgent, "Macintosh"),"MAC", "OTHER")))

and then timechart them

timechart count span=1d BY browser_type os_vendor

Is there a better way to combine the 2 evals to be able to achieve this with timechart?
Thanks!

sundareshr · ‎10-07-2016

Try with case instead of if

... | eval browser_type = case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval os_vendor = case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by browser_type os_vendor

View solution in original post

yannK · ‎10-07-2016

Keep in mind that a timechart accept only one clause by.

timechart count span=1d BY browser_type os_vendor

having both "browser_type" and "os_vendor" is too much.

You can prefer to create a merged field with to keep displaying, and raise the limit of numbers of series to display (default is 10)
example :

 | eval browser_os=browser_type."-".os_vendor limit=20
 |     timechart count span=1d BY browser_os

somesoni2 · ‎10-07-2016

Try like this (combining browser_type and os_vendor as one field as timechart doesn't support two fields in by clause

 ... | eval groupbyfield= case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval groupbyfield= groupbyfield.":".case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by groupbyfield

sundareshr · ‎10-07-2016

Try with case instead of if

... | eval browser_type = case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval os_vendor = case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by browser_type os_vendor

tkwaller · ‎10-17-2016

Yes this worked, case definitely worked here, thanks!

gcusello · ‎10-07-2016

Hi tkwaller
If you share an example of your log, maybe it's possible to extract fields using regexes at search time.
Bye.
Giuseppe

How to best combine 2 eval searches and use timechart?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor