Solved: Re: merge timechart column

darksky21 · ‎11-16-2013

Hi i am using timechart count by source. It gave me a table:

_time cat dog  car
23/3   2   2    3
24/5   5   4    3

is there anyway to merge cat and dog into a single column like animal?

_time  animal  car
23/3      4     3
24/5      9     3

Thanks in advance

lguinn2 · ‎11-16-2013

Yes!

yoursearchhere
| eval source=if(source=="cat" OR source=="dog","animal",source)
| timechart count by source

View solution in original post

ShaneNewman · ‎11-16-2013

Sure thing, you will have to evaluate a new field and use the chart command instead. If you want it by day you will need to add the bucket command. Something of this effect:

your search | eval animal=(cat+dog) | bucket span=1d _time | chart sum(animal) as animal, sum(car) as car by _time

lguinn2 · ‎11-16-2013

Yes!

yoursearchhere
| eval source=if(source=="cat" OR source=="dog","animal",source)
| timechart count by source

darksky21 · ‎11-17-2013

thanks it works great

merge timechart column

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation