Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splitting multiple unknown fields to timechart by another field

cphair
Builder
‎06-18-2013 10:28 AM

Hi,

I've been using * in statistical commands for shorthand in writing out the fields. This has been useful on dynamic dashboards where I don't know what source/sourcetype a user will choose, so I don't have to specify field names ahead of time. A format like the following works:



index=internal | timechart avg(*) as avg*

but this one returns no results:


index=internal | timechart avg(*) as avg* by host

I'm guessing the * is eating the host field before the timechart command tries to split by it. Is there anything I can do about this? I'm running 4.3.4.

0 Karma
Reply

rechteklebe
Path Finder
‎06-19-2013 01:09 AM

Try this:

index=internal | timechart avg() as "avg" by host

0 Karma
Reply

cphair
Builder
‎06-19-2013 04:57 AM

Doesn't work. Same problem.

0 Karma
Reply

rechteklebe
Path Finder
‎06-19-2013 01:46 AM

the stars are filtered out..so for sure with the stars 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...