Splunk Search
Highlighted

How to use the value of a variable as a text for a timechart field

Engager

Hi,

As part of my search, I'm building some strings with eval and assigning variable to it. I want to use these built strings to be the text displayed as the timechart fields. It would be something like this:

      <query>index=ecevt2 source=128_distribution 

| eval bucket1start=round(minbalance,0)
| eval bucket1end=round(minbalance+range)
| eval bucket1=tostring(bucket1start). "-" .tostring(bucket1end)
| eval bucket2start=round(bucket1end,0)
| eval bucket2end=round(bucket1end+range)
| eval bucket2=tostring(bucket2start). "-" .tostring(bucket2end)
| eval bucket3start=round(bucket2end,0)
| eval bucket3end=round(bucket2end+range)
| eval bucket3=tostring(bucket3start). "-" .tostring(bucket3end)
| eval bucket4start=round(bucket3end,0)
| eval bucket4end=round(bucket3end+range)
| eval bucket4=tostring(bucket4start). "-" .tostring(bucket4end)
| eval bucket5start=round(bucket4end,0)
| eval bucket5end=round(bucket4end+range)
| eval bucket5=tostring(bucket5start). "-" .tostring(bucket5end)
| fields bucket1
| timechart span=3m max(value1) as bucket1, max(value2) as bucket2, max(value3) as bucket3, max(value4) as bucket4, max(value5) as bucket5

So, instead of showing "bucket1" as the text of the field for value1 in timechart, I would like to have the constructed string done with eval (tostring(bucket1start). "-" .tostring(bucket1end)).

Is there any way to achieve that?

Many thanks

0 Karma
Highlighted

Re: How to use the value of a variable as a text for a timechart field

Ultra Champion
index=ecevt2 source=128_distribution
| fillnull bucket1 bucket2 bucket3 bucket4 bucket5
| fields _time bucket* value* min_balance range
| foreach bucket* [ eval <<FIELD>>_start=round(min_balance,0) 
| eval <<FIELD>>_end=round(min_balance+range) 
| eval <<FIELD>>=tostring(<<FIELD>>_start). "-" .tostring(<<FIELD>>_end) ]
| foreach value* [eval {bucket<<MATCHSTR>>} = '<<FIELD>>']
| fields - bucket* _raw value* min_balance range
| timechart span=3m max(*) as * 

There is no log, so you should modify to appropriate field.

0 Karma