Splunk Search

help to values many fields in timechart command

jip31
Motivator

hi

i use the search below for displaying a timechart
as you can see, the timechart is sorted by host

`toto` 
    earliest=-5d latest=now 
| lookup test.csv HOSTNAME as host output SITE MODEL 
| timechart avg(BootTime) as "Boot time" by host limit=10 useother=false

but I also need to values the fields SITE and MODEL in order to have for an host, the avg(BootTime), the SITE and the MODEL
Something like :

    | timechart avg(BootTime) as "Boot time" by host SITE MODEL

How to do for values other fields with a timechart command please???

Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion
....
|eval tmp=host.":".SITE.":".MODEL
| timechart avg(BootTime) as "Boot time" by tmp
| rex field=tmp "(?<host>\S+?):(?<SITE>\S+?):(?<MODEL>\S+)"
| fields - tmp

View solution in original post

0 Karma

to4kawa
Ultra Champion
....
|eval tmp=host.":".SITE.":".MODEL
| timechart avg(BootTime) as "Boot time" by tmp
| rex field=tmp "(?<host>\S+?):(?<SITE>\S+?):(?<MODEL>\S+)"
| fields - tmp
0 Karma

jip31
Motivator

It doesnt works
if I am doing | search SITE=* OR MODEL=* I have no results
And i also need to display the timechart by host
Actually instead host I have "NULL"

0 Karma

to4kawa
Ultra Champion

@jip31

Of course you do the query after the lookup, right?

it doesn't works
You say this and you know the cause and what to do?

0 Karma

jip31
Motivator

yes after the lookup
and i dont know why | search SITE=* OR MODEL=* doesnt works

0 Karma

to4kawa
Ultra Champion

| search SITE=* OR MODEL=* is unnecessary.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...