Solved: merge timechart column

darksky21 · ‎11-16-2013

Hi i am using timechart count by source. It gave me a table:

_time cat dog  car
23/3   2   2    3
24/5   5   4    3

is there anyway to merge cat and dog into a single column like animal?

_time  animal  car
23/3      4     3
24/5      9     3

Thanks in advance

lguinn2 · ‎11-16-2013

Yes!

yoursearchhere
| eval source=if(source=="cat" OR source=="dog","animal",source)
| timechart count by source

View solution in original post

ShaneNewman · ‎11-16-2013

Sure thing, you will have to evaluate a new field and use the chart command instead. If you want it by day you will need to add the bucket command. Something of this effect:

your search | eval animal=(cat+dog) | bucket span=1d _time | chart sum(animal) as animal, sum(car) as car by _time

lguinn2 · ‎11-16-2013

Yes!

yoursearchhere
| eval source=if(source=="cat" OR source=="dog","animal",source)
| timechart count by source

darksky21 · ‎11-17-2013

thanks it works great

merge timechart column

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation