Solved: Re: merge timechart column

darksky21 · ‎11-16-2013

Hi i am using timechart count by source. It gave me a table:

_time cat dog  car
23/3   2   2    3
24/5   5   4    3

is there anyway to merge cat and dog into a single column like animal?

_time  animal  car
23/3      4     3
24/5      9     3

Thanks in advance

lguinn2 · ‎11-16-2013

Yes!

yoursearchhere
| eval source=if(source=="cat" OR source=="dog","animal",source)
| timechart count by source

View solution in original post

ShaneNewman · ‎11-16-2013

Sure thing, you will have to evaluate a new field and use the chart command instead. If you want it by day you will need to add the bucket command. Something of this effect:

your search | eval animal=(cat+dog) | bucket span=1d _time | chart sum(animal) as animal, sum(car) as car by _time

lguinn2 · ‎11-16-2013

Yes!

yoursearchhere
| eval source=if(source=="cat" OR source=="dog","animal",source)
| timechart count by source

darksky21 · ‎11-17-2013

thanks it works great

merge timechart column

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

merge timechart column

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination