- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is fairly simple question. I am trying to do a couple evals on userAgent fields, as I am trying not to use the app for it. I am also trying to avoid extra actions so I was just using search and evals to accomplish this. the problem is that I cannot get it to work with timechart as I am trying to timechart by 2 fields.
My basic evals are using if and match:
| eval browser_type = if(match(userAgent,"Firefox"),"Firefox", if(match(userAgent, "Safari"),"Safari", if(match(userAgent, "Macintosh"),"MAC", "OTHER")))
eval os_vendor = if(match(userAgent,"Windows"),"Windows", if(match(userAgent, "X11"),"Linux", if(match(userAgent, "Macintosh"),"MAC", "OTHER")))
and then timechart them
timechart count span=1d BY browser_type os_vendor
Is there a better way to combine the 2 evals to be able to achieve this with timechart?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with case instead of if
... | eval browser_type = case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval os_vendor = case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by browser_type os_vendor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep in mind that a timechart accept only one clause by.
timechart count span=1d BY browser_type os_vendor
having both "browser_type" and "os_vendor" is too much.
You can prefer to create a merged field with to keep displaying, and raise the limit of numbers of series to display (default is 10)
example :
| eval browser_os=browser_type."-".os_vendor limit=20
| timechart count span=1d BY browser_os
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this (combining browser_type and os_vendor as one field as timechart doesn't support two fields in by clause
... | eval groupbyfield= case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval groupbyfield= groupbyfield.":".case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by groupbyfield
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with case instead of if
... | eval browser_type = case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval os_vendor = case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by browser_type os_vendor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes this worked, case definitely worked here, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tkwaller
If you share an example of your log, maybe it's possible to extract fields using regexes at search time.
Bye.
Giuseppe
