Hi,
I have the following search string which works
(sourcetype="cds_fms_access" x_event="*connect" x_status="200") | chart sum(bytes) as sum by hostname, x_event
And will give a results like this
hostname connect disconnect
-------- ------- ----------
host1 1000 2000
host2 500 1500
I need to add one more field to chart eventype. something like this, which wont work.
(sourcetype="cds_fms_access" x_event="*connect" x_status="200") | chart sum(bytes) as sum by hostname, x_event , eventtype
What I am trying to do is calculate the bytes if x_event=connect and disconnect separately by hostname and eventtype.
I have tried to use sum(eval(if(x_event="disconnect",0)))
but i have got an error
""Error in 'chart' command: The eval expression for dynamic field 'if(x_event="disconnect",0)' is invalid. Error='The arguments to the 'if' function are invalid.'"
Please Help.
Thanks in Advance
As per the docs;
http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/CommonEvalFunctions
The IF statement requires three inputs, the test, IF true and a final value for IF not true (the else)
An example from the docs for quick reference;
err=if(error == 200, "OK", "Error")
I am not sure "if" works with "chart" but it does with "stats" :
| stats sum(eval(if(eventtype=="SOME_EVENT,SOME_FIELD",0))) as SOME_TOTAL