Splunk Search

case statement using token for span in timechart

vinay4444
Explorer

index=XXX sourcetype="XXX" itemKey ="$metric$" name = "$Host$" | timechart span=$spantime$m $statistic$(value) by name

how can i add logic for $spantime$ to take values based on itemkey value
case itemKey = "x" then 10
case itemKey = "y" then 1 ?

Tags (1)
0 Karma

vinay4444
Explorer

thanks for the response i tried both methods but could not see change in span value 😞

index=xxx sourcetype="xxx" itemKey ="$metric$" name = "$Host$" | timechart [ eval spantime="span=".case(itemKey=="ms.db.cpu_usage_percent*",1,itemKey=="ms.db.connection_count",10)."m" | return $spantime ] SUM(value) by name

0 Karma

muebel
SplunkTrust
SplunkTrust

whats the literal search look like in the job inspector?

0 Karma

vinay4444
Explorer

index=xxx sourcetype="xxx" itemKey ="$metric$" name = "$Host$" | timechart span=$spantime$m $statistic$(value) by name

0 Karma

vinay4444
Explorer

based on value selected by user in itemKey we need to set the spantime for time chart

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi vinay4444, I believe something like this will work, referencing the documentation on case : http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonEvalFunctions#Comparison_and...

index=XXX sourcetype="XXX" itemKey ="$metric$" name = "$Host$" | timechart [ eval spantime="span=".case(itemKey=="x",10,itemKey=="y",1)."m" | return $spantime ] $statistic$(value) by name

Guessing you are spanning in minutes, so concatenated an m to the end, but you could modify that or build it into the case statement.

Let me know how this works!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not sure the timechart command will work with variable substitution, but if it does it will be something like this.

index=XXX sourcetype="XXX" itemKey ="$metric$" name = "$Host$" | eval spantime=case(itemKey="x",10, itemKey="y",1, 1=1,1) | timechart span=$spantime$m $statistic$(value) by name
---
If this reply helps you, Karma would be appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...