Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to write Timechart for search with binary value result?

mrf23
Explorer
‎02-28-2023 02:00 PM

Hi I have a field, mode, which returns either returns data or is None (mode_true, mode_false). I'm trying to search and aggregate the sum [over time] of both outcomes over separately then plot both on a timechart (as a stacked bar or similar, where the data is separated categorically). I've tried a couple query types below with no luck

1.)

 

index=mode_qa module=mode_producer_logs "telemetry_event" 
| extract pairdelim="\"{,}" kvdelim=":" 
| multisearch [search mode!=None | eval type="mode_true"] [search mode=None | eval type="mode_false"]
| timechart span=60m count(mode) by type

 


2.)

 

index=mode_qa module=mode_producer_logs "telemetry event" 
| extract pairdelim="\"{,}" kvdelim=":" 
| eval modeBool = if(mode!=None, "mode_true", "mode_false")
| timechart count by modeBool span=30m

 

 

Both display a visual with only one data source (not binary, e.g. mode_true vs mode_false). Any ideas? New to Splunk

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-28-2023 02:28 PM

When you do

| eval modeBool = if(mode!=None, "mode_true", "mode_false")

You are comparing field mode to the field None, which I guess does not exist, so ALL your events will be mode_false. Quote the "None"

index=mode_qa module=mode_producer_logs "telemetry event" 
| extract pairdelim="\"{,}" kvdelim=":" 
| eval modeBool = if(mode!="None", "mode_true", "mode_false")
| timechart count by modeBool span=30m

 

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-28-2023 02:14 PM

Please explain what you mean by "no luck".  How do the results returned not meet expectations?

The second query looks like it should work, but perhaps there's an error we can see without knowing the data.

You can debug the query by running it one pipe at a time, verifying the results are expected before adding the next pipe.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mrf23
Explorer
‎02-28-2023 02:23 PM

eval-if in #2. Not sure about the multisearch

0 Karma
Reply
Solved! Jump to solution

mrf23
Explorer
‎02-28-2023 02:21 PM

Hi @richgalloway Right, I put the resulting behavior at the bottom of my post -- "Both display a visual with only one data source (not binary, e.g. mode_true vs mode_false). "

I'm trying to display the binary outcomes as a categorical visual like a stacked bar, but the only result I see is a single bar for a given time point.

I believe the problem is with the eval-if statement - any idea on correct syntax for expected behavior?

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-28-2023 02:28 PM

When you do

| eval modeBool = if(mode!=None, "mode_true", "mode_false")

You are comparing field mode to the field None, which I guess does not exist, so ALL your events will be mode_false. Quote the "None"

index=mode_qa module=mode_producer_logs "telemetry event" 
| extract pairdelim="\"{,}" kvdelim=":" 
| eval modeBool = if(mode!="None", "mode_true", "mode_false")
| timechart count by modeBool span=30m

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...