Splunk Search
Highlighted

How to best combine 2 eval searches and use timechart?

Builder

I know this is fairly simple question. I am trying to do a couple evals on userAgent fields, as I am trying not to use the app for it. I am also trying to avoid extra actions so I was just using search and evals to accomplish this. the problem is that I cannot get it to work with timechart as I am trying to timechart by 2 fields.

My basic evals are using if and match:

| eval browser_type = if(match(userAgent,"Firefox"),"Firefox", if(match(userAgent, "Safari"),"Safari", if(match(userAgent, "Macintosh"),"MAC", "OTHER"))) 
eval os_vendor = if(match(userAgent,"Windows"),"Windows", if(match(userAgent, "X11"),"Linux", if(match(userAgent, "Macintosh"),"MAC", "OTHER")))

and then timechart them

timechart count span=1d BY browser_type os_vendor

Is there a better way to combine the 2 evals to be able to achieve this with timechart?
Thanks!

0 Karma
Highlighted

Re: How to best combine 2 eval searches and use timechart?

Legend

Hi tkwaller
If you share an example of your log, maybe it's possible to extract fields using regexes at search time.
Bye.
Giuseppe

0 Karma
Highlighted

Re: How to best combine 2 eval searches and use timechart?

Legend

Try with case instead of if

... | eval browser_type = case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval os_vendor = case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by browser_type os_vendor

View solution in original post

0 Karma
Highlighted

Re: How to best combine 2 eval searches and use timechart?

Builder

Yes this worked, case definitely worked here, thanks!

0 Karma
Highlighted

Re: How to best combine 2 eval searches and use timechart?

SplunkTrust
SplunkTrust

Try like this (combining browsertype and osvendor as one field as timechart doesn't support two fields in by clause

 ... | eval groupbyfield= case(match(userAgent,"Firefox"),"Firefox", match(userAgent, "Safari","Safari", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | eval groupbyfield= groupbyfield.":".case(match(userAgent,"Windows"),"Windows", match(userAgent, "X11"),"Linux", match(userAgent, "Macintosh"),"MAC", 1=1, "OTHER") | timechart span=1d count by groupbyfield
0 Karma
Highlighted

Re: How to best combine 2 eval searches and use timechart?

Splunk Employee
Splunk Employee

Keep in mind that a timechart accept only one clause by.

timechart count span=1d BY browser_type os_vendor

having both "browsertype" and "osvendor" is too much.

You can prefer to create a merged field with to keep displaying, and raise the limit of numbers of series to display (default is 10)
example :

 | eval browser_os=browser_type."-".os_vendor limit=20
 |     timechart count span=1d BY browser_os
0 Karma