Splunk Search
Highlighted

How to get a timechart with a backup source in case the preferred source does not exist?

Communicator

Hi,

I have two different sourcetypes that I can graph like this:

eventtype=mlc sourcetype=lts_timings host=X | eval details=task_name."; ".duration_seconds." seconds" | timechart count(duration_seconds) by details limit=0

eventtype=mlc sourcetype=lts-histo host=X | timechart count(task_name) by task_name limit=0

Sometimes the log file driving the first one does not get produced, and in this case, I would use the second one as a backup. The reason is that the second one is always produced, but the first has more information (the duration_seconds field). Is there a way to achieve this logic in one graph? Ideally I would like to write a single search saying something like this:

if_empty(eventtype=mlc sourcetype=lts_timings host=X) {
    eventtype=mlc sourcetype=lts-histo host=X | timechart count(task_name) by task_name limit=0
}
else {
    eventtype=mlc sourcetype=lts_timings host=X | eval details=task_name."; ".duration_seconds." seconds" | timechart count(duration_seconds) by details limit=0
}

Thanks for reading!
John

0 Karma
Highlighted

Re: How to get a timechart with a backup source in case the preferred source does not exist?

SplunkTrust
SplunkTrust

Try below. You might need to adjust a bit to accommodate all your conditions

eventtype=mlc (sourcetype= lts_timings OR sourcetype=lts-histo) host=X
|eval details=if(isnull(duration_seconds),task_name,task_name."; ".duration_seconds." seconds")
|eval dur_task=if(isnull(duration_seconds),task_name,duration_seconds)
|timechart count(dur_task) by details limit=0

or use coalesce ..
Refer here http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/CommonEvalFunctions

View solution in original post

Highlighted

Re: How to get a timechart with a backup source in case the preferred source does not exist?

Communicator

That's very helpful, thank you!

0 Karma
Highlighted

Re: How to get a timechart with a backup source in case the preferred source does not exist?

Community Manager
Community Manager

Hi @johnraftery

If @renjith.nair's answer solved your question, don't forget to click "Accept" directly below the answer to resolve this post.