Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Timechart - Combining by columns
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
Hoping you may be able to point me in the right direction. I have a log like this:
TimeStamp="2011-12-13 09:00:01" NEID="MAS4_EDW" FileCount="0"
TimeStamp="2011-12-13 09:00:01" NEID="MAS4_RTDAS" FileCount="0"
TimeStamp="2011-12-13 09:00:01" NEID="MAS4_WBI" FileCount="0"
TimeStamp="2011-12-13 09:00:01" NEID="MMSC" FileCount="2"
TimeStamp="2011-12-13 09:00:01" NEID="MMSC7" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MMSC7_IC" FileCount="4"
TimeStamp="2011-12-13 09:00:01" NEID="MMSC_IC" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MSC1" FileCount="0"
TimeStamp="2011-12-13 09:00:01" NEID="MSC10" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MSC11" FileCount="2"
TimeStamp="2011-12-13 09:00:01" NEID="MSC12" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MSC13" FileCount="2"
TimeStamp="2011-12-13 09:00:01" NEID="MSC14" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MSC15" FileCount="1"
The FileCount gets inputed into this log at say every 30 minutes....
Now, I can easily graph the trends of the file counts over time by NEID with the following search:
source="<FILE>" | timechart span=30m limit=0 sum(FileCount) by NEID
BUT, what I would like to do is group all the MSC*, MSS* and MAS* fields... so that instead of getting a table/graph with a line for each NEID, I get one for the SUM(FileCount) of all MSS*, etc for MAS* and MSS*
I've tried quite a few eval type queries with no luck at this stage. Does anyone have any pointers please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand you correctly, you wish to group on MSC*, MAS* etc - regardless of the number that follows the first three characters for the values of NEID.
In that case you can use;
source="<FILE>" | eval ZZZ=substr(NEID,1,3) | timechart span=30m limit=0 sum(FileCount) by ZZZ
hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I've been able to adapt this to meet my requirements
source="<FILE>" | eval ZZZ=if(substr(NEID,1,3)=="MSS",substr(NEID,1,3),NEID) | timechart span=30m limit=0 sum(FileCount) by ZZZ
Thanks Kristian for the point in the right direction.
Sam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Kristian... That's excellent... That has worked perfectly.. I'm going to slightly complicate the issue a bit more and see if you can help 😉
Lets say I just want to group the MSS* ones, but leave the rest the same.... I'm guessing I'll have to get an eval if() going in there somehow...
So, for the above set of logs I would like the columns to be (just the MSS* ones summed up.. teh rest left as they are):
MAS4_EDW, MAS4_RTDAS, MAS4_WBI, MMSC, MMSC7_IC, MMSC_IC, MSC
Really appreciate the help..
Sam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand you correctly, you wish to group on MSC*, MAS* etc - regardless of the number that follows the first three characters for the values of NEID.
In that case you can use;
source="<FILE>" | eval ZZZ=substr(NEID,1,3) | timechart span=30m limit=0 sum(FileCount) by ZZZ
hope this helps,
Kristian
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
