Solved: Re: Timechart - Combining by columns

sampipe · ‎12-12-2011

Hi All,

Hoping you may be able to point me in the right direction. I have a log like this:

TimeStamp="2011-12-13 09:00:01" NEID="MAS4_EDW" FileCount="0"
TimeStamp="2011-12-13 09:00:01" NEID="MAS4_RTDAS" FileCount="0"
TimeStamp="2011-12-13 09:00:01" NEID="MAS4_WBI" FileCount="0"
TimeStamp="2011-12-13 09:00:01" NEID="MMSC" FileCount="2"
TimeStamp="2011-12-13 09:00:01" NEID="MMSC7" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MMSC7_IC" FileCount="4"
TimeStamp="2011-12-13 09:00:01" NEID="MMSC_IC" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MSC1" FileCount="0"
TimeStamp="2011-12-13 09:00:01" NEID="MSC10" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MSC11" FileCount="2"
TimeStamp="2011-12-13 09:00:01" NEID="MSC12" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MSC13" FileCount="2"
TimeStamp="2011-12-13 09:00:01" NEID="MSC14" FileCount="1"
TimeStamp="2011-12-13 09:00:01" NEID="MSC15" FileCount="1"

The FileCount gets inputed into this log at say every 30 minutes....

Now, I can easily graph the trends of the file counts over time by NEID with the following search:

source="<FILE>" | timechart span=30m limit=0 sum(FileCount) by NEID

BUT, what I would like to do is group all the MSC*, MSS* and MAS* fields... so that instead of getting a table/graph with a line for each NEID, I get one for the SUM(FileCount) of all MSS*, etc for MAS* and MSS*

I've tried quite a few eval type queries with no luck at this stage. Does anyone have any pointers please?

kristian_kolb · ‎12-12-2011

If I understand you correctly, you wish to group on MSC*, MAS* etc - regardless of the number that follows the first three characters for the values of NEID.

In that case you can use;

source="<FILE>" | eval ZZZ=substr(NEID,1,3) | timechart span=30m limit=0 sum(FileCount) by ZZZ

hope this helps,

Kristian

View solution in original post

sampipe · ‎12-12-2011

I think I've been able to adapt this to meet my requirements

source="<FILE>" | eval ZZZ=if(substr(NEID,1,3)=="MSS",substr(NEID,1,3),NEID) | timechart span=30m limit=0 sum(FileCount) by ZZZ

Thanks Kristian for the point in the right direction.

Sam

sampipe · ‎12-12-2011

Thanks Kristian... That's excellent... That has worked perfectly.. I'm going to slightly complicate the issue a bit more and see if you can help 😉

Lets say I just want to group the MSS* ones, but leave the rest the same.... I'm guessing I'll have to get an eval if() going in there somehow...

So, for the above set of logs I would like the columns to be (just the MSS* ones summed up.. teh rest left as they are):

MAS4_EDW, MAS4_RTDAS, MAS4_WBI, MMSC, MMSC7_IC, MMSC_IC, MSC

Really appreciate the help..

Sam

kristian_kolb · ‎12-12-2011

If I understand you correctly, you wish to group on MSC*, MAS* etc - regardless of the number that follows the first three characters for the values of NEID.

In that case you can use;

source="<FILE>" | eval ZZZ=substr(NEID,1,3) | timechart span=30m limit=0 sum(FileCount) by ZZZ

hope this helps,

Kristian

Timechart - Combining by columns

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation