Splunk Search

How to use the value of a variable as a text for a timechart field



As part of my search, I'm building some strings with eval and assigning variable to it. I want to use these built strings to be the text displayed as the timechart fields. It would be something like this:

      <query>index=ecevt2 source=128_distribution 

| eval bucket1_start=round(min_balance,0)
| eval bucket1_end=round(min_balance+range)
| eval bucket1=tostring(bucket1_start). "-" .tostring(bucket1_end)
| eval bucket2_start=round(bucket1_end,0)
| eval bucket2_end=round(bucket1_end+range)
| eval bucket2=tostring(bucket2_start). "-" .tostring(bucket2_end)
| eval bucket3_start=round(bucket2_end,0)
| eval bucket3_end=round(bucket2_end+range)
| eval bucket3=tostring(bucket3_start). "-" .tostring(bucket3_end)
| eval bucket4_start=round(bucket3_end,0)
| eval bucket4_end=round(bucket3_end+range)
| eval bucket4=tostring(bucket4_start). "-" .tostring(bucket4_end)
| eval bucket5_start=round(bucket4_end,0)
| eval bucket5_end=round(bucket4_end+range)
| eval bucket5=tostring(bucket5_start). "-" .tostring(bucket5_end)
| fields bucket1
| timechart span=3m max(value1) as bucket1, max(value2) as bucket2, max(value3) as bucket3, max(value4) as bucket4, max(value5) as bucket5

So, instead of showing "bucket1" as the text of the field for value1 in timechart, I would like to have the constructed string done with eval (tostring(bucket1_start). "-" .tostring(bucket1_end)).

Is there any way to achieve that?

Many thanks

0 Karma

Ultra Champion
index=ecevt2 source=128_distribution
| fillnull bucket1 bucket2 bucket3 bucket4 bucket5
| fields _time bucket* value* min_balance range
| foreach bucket* [ eval <<FIELD>>_start=round(min_balance,0) 
| eval <<FIELD>>_end=round(min_balance+range) 
| eval <<FIELD>>=tostring(<<FIELD>>_start). "-" .tostring(<<FIELD>>_end) ]
| foreach value* [eval {bucket<<MATCHSTR>>} = '<<FIELD>>']
| fields - bucket* _raw value* min_balance range
| timechart span=3m max(*) as * 

There is no log, so you should modify to appropriate field.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>