Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rename a wildcard search result?

sheltomt1
Explorer
‎07-23-2015 01:19 PM

So let's start with what I have. What's getting me good data:

sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")

I've already done a field extraction and called it XferStatus. Basically what it's doing is looking in my Transfer log for a key phrase of "http - 80". I'm then evaluating it to pull just the transfer starts or endings.

What I need to do is end up with a line chart that shows the rise and fall of Beginnings vs Completions over a 4 hour window.

Where I'm stuck is that I can't figure out a way to have it count Beginnings and Completions, because they are both searches on the XferStatus field. I'm happy not renaming them if I can get a timechart built off a search, but I can't seem to get that right either.

Help, please!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-23-2015 01:49 PM

Try this:

  sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")
| timechart count(eval(searchmatch("XferStatus=*Beginning*"))) as beginnings count(eval(searchmatch("XferStatus=*completed*"))) as completions

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-23-2015 01:49 PM

Try this:

  sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")
| timechart count(eval(searchmatch("XferStatus=*Beginning*"))) as beginnings count(eval(searchmatch("XferStatus=*completed*"))) as completions
Reply
Solved! Jump to solution

sheltomt1
Explorer
‎07-24-2015 06:35 AM

Ahhhh, there we go! I was trying the wrong evals. I scanned the searchmatch eval, but never considered throwing a count in front.

Thank you so much!

0 Karma
Reply
Solved! Jump to solution

sheltomt1
Explorer
‎07-23-2015 02:27 PM

I tried something very similar

Yours came up with very similar error:
Error in 'timechart' command: The eval expression for dynamic field 'searchmatch(XferStatus="Beginning")' is invalid. Error='The arguments to the 'searchmatch' function are invalid.'

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-23-2015 02:38 PM

Right - the quotes were off, I've fixed them.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...