Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Select my extracted fields for correlation in timechart

sbnoobbb
Path Finder
‎07-14-2013 07:47 PM

I am using a search command of sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(type) as Incident count(current_summary) as Rain.

I had current_summary and type, which I needed only the Rain from current_summary and Accident from type in both sources using the search query. Anyway I can do it ?

alt text

alt text

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-15-2013 05:33 AM

Did you read the timechart docs? You can specify which field values you are interested in using eval statements. So something like this should work:

sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(eval(type=="Accident")) as Incident, count(eval(current_summary=="Rain")) as Rain

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-15-2013 05:33 AM

Did you read the timechart docs? You can specify which field values you are interested in using eval statements. So something like this should work:

sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(eval(type=="Accident")) as Incident, count(eval(current_summary=="Rain")) as Rain
Reply
Solved! Jump to solution

kailun92
Communicator
‎07-15-2013 05:57 AM

Kk, i am just double checking 😃 I am only not sure about the two sourcetype. Thanks ! Eval is what i needed 😃

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 05:49 AM

Uh...well yes. That's kind of basic search filtering functionality. If you're unsure about those kind of things I advise you to take the Splunk tutorial.

0 Karma
Reply
Solved! Jump to solution

kailun92
Communicator
‎07-15-2013 05:42 AM

Consider that both sourcetype have these location fields extracted.

0 Karma
Reply
Solved! Jump to solution

kailun92
Communicator
‎07-15-2013 05:39 AM

What if i got another field called location and I need the location of "PIE" for example? Only display result for PIE, how can i do that ? Put at by location=PIE ?

0 Karma
Reply
Solved! Jump to solution

kailun92
Communicator
‎07-15-2013 04:22 AM

Yes ! Against the same location !

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 03:16 AM

So the desired result would be a graph with two lines - one for occurrences of rain and one for occurrences of accidents?

0 Karma
Reply
Solved! Jump to solution

sbnoobbb
Path Finder
‎07-15-2013 02:56 AM

I wanted to do a search for Rain and Accident on a timechart showing how rain affects more accidents (correlation of weather and traffic accidents). However the Accident is in Type and Rain is in current_summary. I need to do a count for number of times it rains on a specific location then count for accidents on the same location then plot it on a timechart.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 02:09 AM

OK, but I have no idea what your desired result is (same issue as in your partner's more or less identical question). What exactly are you trying to do? What is the desired end result?

0 Karma
Reply
Solved! Jump to solution

sbnoobbb
Path Finder
‎07-15-2013 01:40 AM

I have edited the question. Check it out 😃

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 01:12 AM

xmlkv is used for performing field extraction on certain XML formatted data. Not sure how it would be relevant in your scenario.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...