Splunk Search

Is it possible for the chart command to not get executed unless cix is equal to the number 1?

bdh5574
New Member

I have the following search. What I would like is for the chart command to not get executed unless cix is equal to the number 1.
Is that possible? To have a conditional calculation?

| rename SMF70DTE as Date, SMF70TME as Time, SMF70SID as LPAR 
| eval IntervalTime=strftime(_time,"%H.%M")
| rex "SMF70CIX_\d{4}\":\"(?P<cix>[0-9.]+)\"" 
| rex "SMF70PDT_\d{4}\":\"(?P<pdt>[0-9.]+)\"" 
| chart sum(pdt) over IntervalTime by LPAR

Thanks, Bob

0 Karma

DalJeanis
Legend

After rex number 1 and before chart, insert this line

| search cix=1 

It doesn't really matter if it's before or after rex number 2, but before rex number 2 is slightly more efficient.

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...