Solved: How to edit my chart search to select the earlies...

akazarov · ‎06-18-2015

Hello,

In my chart command, I'd like to select events satisfying some criteria. For example I can do:

chart  count(eval(field1=avalue))) by field2

but instead of count() I'd like to select an earliest event and extract a field value

chart  value(field3, earliest(eval(field1=avalue))) by field2

Is there a way to implement this, without complicated subsearches?

For example, my data is like

A=1 B=0 C=2
A=2 B=0 C=2
A=2 B=1 C=2
A=1 B=1 C=3

Then I call

chart value(A,earliest(B=1)) as D by C

and get

C=2 D=2
C=3 D=1

akazarov · ‎06-19-2015

OK, I managed to do this with additional eval:

| eval f1condition=case(field1=avalue, field3) | chart earliest(f1condition) as earliest_field3 by field2

View solution in original post

akazarov · ‎06-19-2015

OK, I managed to do this with additional eval:

| eval f1condition=case(field1=avalue, field3) | chart earliest(f1condition) as earliest_field3 by field2

woodcock · ‎06-18-2015

Like this?

... | chart earliest(field3) by field2

alacercogitatus · ‎06-18-2015

Ok, so you may need to define what you are looking to do more clearly. Can you provide sample data and maybe an example of output you would like to see from that data?

akazarov · ‎06-18-2015

added an example to the question. thanks!

How to edit my chart search to select the earliest event and extract a field value?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!