Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get a timechart with a backup source in case the preferred source does not exist?

johnraftery
Communicator
‎12-08-2015 02:49 AM

Hi,

I have two different sourcetypes that I can graph like this:

eventtype=mlc sourcetype=lts_timings host=X | eval details=task_name."; ".duration_seconds." seconds" | timechart count(duration_seconds) by details limit=0

eventtype=mlc sourcetype=lts-histo host=X | timechart count(task_name) by task_name limit=0

Sometimes the log file driving the first one does not get produced, and in this case, I would use the second one as a backup. The reason is that the second one is always produced, but the first has more information (the duration_seconds field). Is there a way to achieve this logic in one graph? Ideally I would like to write a single search saying something like this:

if_empty(eventtype=mlc sourcetype=lts_timings host=X) {
    eventtype=mlc sourcetype=lts-histo host=X | timechart count(task_name) by task_name limit=0
}
else {
    eventtype=mlc sourcetype=lts_timings host=X | eval details=task_name."; ".duration_seconds." seconds" | timechart count(duration_seconds) by details limit=0
}

Thanks for reading!
John

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-08-2015 06:09 AM

Try below. You might need to adjust a bit to accommodate all your conditions

eventtype=mlc (sourcetype= lts_timings OR sourcetype=lts-histo) host=X
|eval details=if(isnull(duration_seconds),task_name,task_name."; ".duration_seconds." seconds")
|eval dur_task=if(isnull(duration_seconds),task_name,duration_seconds)
|timechart count(dur_task) by details limit=0

or use coalesce ..
Refer here http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/CommonEvalFunctions

Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-08-2015 06:09 AM

Try below. You might need to adjust a bit to accommodate all your conditions

eventtype=mlc (sourcetype= lts_timings OR sourcetype=lts-histo) host=X
|eval details=if(isnull(duration_seconds),task_name,task_name."; ".duration_seconds." seconds")
|eval dur_task=if(isnull(duration_seconds),task_name,duration_seconds)
|timechart count(dur_task) by details limit=0

or use coalesce ..
Refer here http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/CommonEvalFunctions

Happy Splunking!
Reply
Solved! Jump to solution

johnraftery
Communicator
‎12-09-2015 08:10 AM

That's very helpful, thank you!

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎12-09-2015 04:04 PM

Hi @johnraftery

If @renjith.nair's answer solved your question, don't forget to click "Accept" directly below the answer to resolve this post.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...