Splunk Search

merge timechart column

Path Finder

Hi i am using timechart count by source. It gave me a table:

_time cat dog  car
23/3   2   2    3
24/5   5   4    3

is there anyway to merge cat and dog into a single column like animal?

_time  animal  car
23/3      4     3
24/5      9     3

Thanks in advance

Tags (2)
0 Karma
1 Solution

Legend

Yes!

yoursearchhere
| eval source=if(source=="cat" OR source=="dog","animal",source)
| timechart count by source

View solution in original post

Motivator

Sure thing, you will have to evaluate a new field and use the chart command instead. If you want it by day you will need to add the bucket command. Something of this effect:

your search | eval animal=(cat+dog) | bucket span=1d _time | chart sum(animal) as animal, sum(car) as car by _time
0 Karma

Legend

Yes!

yoursearchhere
| eval source=if(source=="cat" OR source=="dog","animal",source)
| timechart count by source

View solution in original post

Path Finder

thanks it works great

0 Karma