Splunk Search

How to rename a wildcard search result?

Explorer

So let's start with what I have. What's getting me good data:

sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")

I've already done a field extraction and called it XferStatus. Basically what it's doing is looking in my Transfer log for a key phrase of "http - 80". I'm then evaluating it to pull just the transfer starts or endings.

What I need to do is end up with a line chart that shows the rise and fall of Beginnings vs Completions over a 4 hour window.

Where I'm stuck is that I can't figure out a way to have it count Beginnings and Completions, because they are both searches on the XferStatus field. I'm happy not renaming them if I can get a timechart built off a search, but I can't seem to get that right either.

Help, please!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this:

  sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")
| timechart count(eval(searchmatch("XferStatus=*Beginning*"))) as beginnings count(eval(searchmatch("XferStatus=*completed*"))) as completions

View solution in original post

SplunkTrust
SplunkTrust

Try this:

  sourcetype=xfer AND (XferStatus="*Beginning*") OR (XferStatus="*completed*")
| timechart count(eval(searchmatch("XferStatus=*Beginning*"))) as beginnings count(eval(searchmatch("XferStatus=*completed*"))) as completions

View solution in original post

Explorer

Ahhhh, there we go! I was trying the wrong evals. I scanned the searchmatch eval, but never considered throwing a count in front.

Thank you so much!

0 Karma

Explorer

I tried something very similar

Yours came up with very similar error:
Error in 'timechart' command: The eval expression for dynamic field 'searchmatch(XferStatus="Beginning")' is invalid. Error='The arguments to the 'searchmatch' function are invalid.'

SplunkTrust
SplunkTrust

Right - the quotes were off, I've fixed them.

0 Karma