Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Select my extracted fields for correlation in timechart

sbnoobbb
Path Finder
‎07-14-2013 07:47 PM

I am using a search command of sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(type) as Incident count(current_summary) as Rain.

I had current_summary and type, which I needed only the Rain from current_summary and Accident from type in both sources using the search query. Anyway I can do it ?

alt text

alt text

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-15-2013 05:33 AM

Did you read the timechart docs? You can specify which field values you are interested in using eval statements. So something like this should work:

sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(eval(type=="Accident")) as Incident, count(eval(current_summary=="Rain")) as Rain

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-15-2013 05:33 AM

Did you read the timechart docs? You can specify which field values you are interested in using eval statements. So something like this should work:

sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(eval(type=="Accident")) as Incident, count(eval(current_summary=="Rain")) as Rain
Reply
Solved! Jump to solution

kailun92
Communicator
‎07-15-2013 05:57 AM

Kk, i am just double checking 😃 I am only not sure about the two sourcetype. Thanks ! Eval is what i needed 😃

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 05:49 AM

Uh...well yes. That's kind of basic search filtering functionality. If you're unsure about those kind of things I advise you to take the Splunk tutorial.

0 Karma
Reply
Solved! Jump to solution

kailun92
Communicator
‎07-15-2013 05:42 AM

Consider that both sourcetype have these location fields extracted.

0 Karma
Reply
Solved! Jump to solution

kailun92
Communicator
‎07-15-2013 05:39 AM

What if i got another field called location and I need the location of "PIE" for example? Only display result for PIE, how can i do that ? Put at by location=PIE ?

0 Karma
Reply
Solved! Jump to solution

kailun92
Communicator
‎07-15-2013 04:22 AM

Yes ! Against the same location !

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 03:16 AM

So the desired result would be a graph with two lines - one for occurrences of rain and one for occurrences of accidents?

0 Karma
Reply
Solved! Jump to solution

sbnoobbb
Path Finder
‎07-15-2013 02:56 AM

I wanted to do a search for Rain and Accident on a timechart showing how rain affects more accidents (correlation of weather and traffic accidents). However the Accident is in Type and Rain is in current_summary. I need to do a count for number of times it rains on a specific location then count for accidents on the same location then plot it on a timechart.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 02:09 AM

OK, but I have no idea what your desired result is (same issue as in your partner's more or less identical question). What exactly are you trying to do? What is the desired end result?

0 Karma
Reply
Solved! Jump to solution

sbnoobbb
Path Finder
‎07-15-2013 01:40 AM

I have edited the question. Check it out 😃

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 01:12 AM

xmlkv is used for performing field extraction on certain XML formatted data. Not sure how it would be relevant in your scenario.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...