Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splitting multiple unknown fields to timechart by another field

cphair
Builder
‎06-18-2013 10:28 AM

Hi,

I've been using * in statistical commands for shorthand in writing out the fields. This has been useful on dynamic dashboards where I don't know what source/sourcetype a user will choose, so I don't have to specify field names ahead of time. A format like the following works:



index=internal | timechart avg(*) as avg*

but this one returns no results:


index=internal | timechart avg(*) as avg* by host

I'm guessing the * is eating the host field before the timechart command tries to split by it. Is there anything I can do about this? I'm running 4.3.4.

0 Karma
Reply

rechteklebe
Path Finder
‎06-19-2013 01:09 AM

Try this:

index=internal | timechart avg() as "avg" by host

0 Karma
Reply

cphair
Builder
‎06-19-2013 04:57 AM

Doesn't work. Same problem.

0 Karma
Reply

rechteklebe
Path Finder
‎06-19-2013 01:46 AM

the stars are filtered out..so for sure with the stars 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...