Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rename a wildcard search result?

sheltomt1
Explorer
‎07-23-2015 01:19 PM

So let's start with what I have. What's getting me good data:

sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")

I've already done a field extraction and called it XferStatus. Basically what it's doing is looking in my Transfer log for a key phrase of "http - 80". I'm then evaluating it to pull just the transfer starts or endings.

What I need to do is end up with a line chart that shows the rise and fall of Beginnings vs Completions over a 4 hour window.

Where I'm stuck is that I can't figure out a way to have it count Beginnings and Completions, because they are both searches on the XferStatus field. I'm happy not renaming them if I can get a timechart built off a search, but I can't seem to get that right either.

Help, please!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-23-2015 01:49 PM

Try this:

  sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")
| timechart count(eval(searchmatch("XferStatus=*Beginning*"))) as beginnings count(eval(searchmatch("XferStatus=*completed*"))) as completions

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-23-2015 01:49 PM

Try this:

  sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")
| timechart count(eval(searchmatch("XferStatus=*Beginning*"))) as beginnings count(eval(searchmatch("XferStatus=*completed*"))) as completions
Reply
Solved! Jump to solution

sheltomt1
Explorer
‎07-24-2015 06:35 AM

Ahhhh, there we go! I was trying the wrong evals. I scanned the searchmatch eval, but never considered throwing a count in front.

Thank you so much!

0 Karma
Reply
Solved! Jump to solution

sheltomt1
Explorer
‎07-23-2015 02:27 PM

I tried something very similar

Yours came up with very similar error:
Error in 'timechart' command: The eval expression for dynamic field 'searchmatch(XferStatus="Beginning")' is invalid. Error='The arguments to the 'searchmatch' function are invalid.'

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-23-2015 02:38 PM

Right - the quotes were off, I've fixed them.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...