Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help to values many fields in timechart command
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
02-18-2020
01:36 AM
hi
i use the search below for displaying a timechart
as you can see, the timechart is sorted by host
`toto`
earliest=-5d latest=now
| lookup test.csv HOSTNAME as host output SITE MODEL
| timechart avg(BootTime) as "Boot time" by host limit=10 useother=false
but I also need to values the fields SITE and MODEL in order to have for an host, the avg(BootTime), the SITE and the MODEL
Something like :
| timechart avg(BootTime) as "Boot time" by host SITE MODEL
How to do for values other fields with a timechart command please???
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
02-18-2020
02:00 AM
....
|eval tmp=host.":".SITE.":".MODEL
| timechart avg(BootTime) as "Boot time" by tmp
| rex field=tmp "(?<host>\S+?):(?<SITE>\S+?):(?<MODEL>\S+)"
| fields - tmp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
02-18-2020
02:00 AM
....
|eval tmp=host.":".SITE.":".MODEL
| timechart avg(BootTime) as "Boot time" by tmp
| rex field=tmp "(?<host>\S+?):(?<SITE>\S+?):(?<MODEL>\S+)"
| fields - tmp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
02-18-2020
04:21 AM
It doesnt works
if I am doing | search SITE=* OR MODEL=* I have no results
And i also need to display the timechart by host
Actually instead host I have "NULL"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
02-18-2020
04:38 AM
@jip31
Of course you do the query after the lookup, right?
it doesn't works
You say this and you know the cause and what to do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
02-18-2020
10:50 PM
yes after the lookup
and i dont know why | search SITE=* OR MODEL=* doesnt works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
02-19-2020
12:49 AM
| search SITE=* OR MODEL=* is unnecessary.
Get Updates on the Splunk Community!
New in Splunk Observability Cloud: Automated Archiving for Unused Metrics
Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...
Calling All Security Pros: Ready to Race Through Boston?
Hey Splunkers,
.conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
What's New in Splunk Observability - July 2025
What’s New?
We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what ...
