Can I combine 2 fields into the 1 using this method:
Combining the 2 fields c84163237 and c84163338 into the 1 field seizureTraffic:
...| timechart span=1h sum(c84163237) as seizureTraffic, sum(c84163338) as seizureTraffic by LABEL
Or do I have to do an eval command:
eval field1=c84163237+c84163338
I can't seem to get either working, can anyone advise?
HattrickNZ
Look at my example search
sourcetype=access_*|eval sr=bytes+other| timechart span=1h sum(bytes) as sb , sum(other) as so , sum(sr) as s by LABEL
and the result
it has something to do with my search before I do the timechart
I have ...measInfoId=83888114 OR measInfoId=83888115 | timechart... but the thing is to view this field c84163237 I need to select 83888114 and to view this field c84163338 I need to select 83888115.
But I still would have though the method work on this.
So it seems the counter needs to be from the same measInfoId for it to work
E.G. this will work as c84163237 + c84163241 both fall under measInfoId=83888114
... measInfoId=83888114 OR measInfoId=83888115 duration=* LABEL=RNC01SJH | eval test1=c84163237 + c84163241 | timechart span=h sum(c84163237) sum(c84163338) sum(eval(c84163237 + c84163241)) as Sum_Traffic3 sum(test1)
More explanation:
eval test1=c84163237 + c84163241 - this works
sum(eval(c84163237 + c84163241)) as Sum_Traffic3 - this works
Can you post some sample data and perhaps a mock-up of your desired result?