This is my query
sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() |
convert ctime(tnow) | eval n=substr(tnow,15,15) |eval m=substr(n,0,2)| eval switcherValue=case(m=55,voderrorcode,m=56,status) | stats count by switcherValue
I have to get the field name based on the m value in the case.Even though Iam not giving the quotes case statement is trating as string,because of this iam not getting switchervalue as filedname.
Please advise me how to get the fieldname from case statement instead a string.
I have to point out that there are some other problems with your search. I have shown it below so that I can refer to it line-by-line
sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation"
| stats count AS tnow
| eval tnow = now()
| convert ctime(tnow)
| eval n= substr(tnow,15,15)
| eval m= substr(n,0,2)
| eval switcherValue=case(m=55,voderrorcode,m=56,status)
| stats count by switcherValue
In line 2, the stats
command is unnecessary, because you overwrite the value of tnow
in line 3 with the time that this search began. Did you really mean to use now()
? I would have expected to use _time
, but then I don't understand the condition you are testing. Finally, you seem to be manipulating the time to pick off certain characters in lines 3-5, but this seems like a hard way to do it.
Why not do this?
sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation"
| eval m = strftime(now(),"%M")
| eval switcherValue=case(m==55,voderrorcode,
m==56,status,
1==1,null())
| stats count by switcherValue
I was too lazy to figure out what all the substr
was about, so i just set m
to the minutes portion of the time. If you wanted some other part of the time, look here for the codes: Common Time Format Variables
Also, note that I added a third option to the case
function - what if m
is something other than 55 or 56? In that case, I set switcherValue
to null, but you could set it to something else.
Try following
sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() |
convert ctime(tnow) | eval n=substr(tnow,15,15) |eval m=substr(n,0,2)| eval switcherValue=case(m=55,voderrorcode,m=56,status) | eval sno=1| chart count over sno by switcherValue | fields - sno
in the above search i kept m values in quotes | eval switcherValue=case(m="55",voderrorcode,m="56",status) | stats count by switcherValue