Solved: Re: timechart dynamic fields

jibiuthaman · ‎02-17-2014

Took the below example from documentation....

Chart a single day's views and purchases at the Buttercup Games online store.

sourcetype=access_* | timechart per_hour(eval(method="GET")) AS Views, per_hour(eval(action="purchase")) AS Purchases

Want to do something similar but need to timechart count for all the events to host=wap4* and to host=wap5*

Don't want a side by side chart...

somesoni2 · ‎02-20-2014

Try this

sourcetype=access_* | timechart per_hour(eval(LIKE(host,"wap4%"))) AS wap4Count, per_hour(eval(LIKE(host,"wap5%"))) AS wap5Count

Note that * is replaced by %

View solution in original post

somesoni2 · ‎02-21-2014

Great.. I have converted my comment as answer. Please accept the answer if there are no followup question.

jibiuthaman · ‎02-20-2014

Cool... it works!!!!

somesoni2 · ‎02-20-2014

Try this

sourcetype=access_* | timechart per_hour(eval(LIKE(host,"wap4%"))) AS wap4Count, per_hour(eval(LIKE(host,"wap5%"))) AS wap5Count

Note that * is replaced by %

jibiuthaman · ‎02-20-2014

I hope you are able to see the * after wap4 and wap5

jibiuthaman · ‎02-20-2014

close... but what i want to do is
sourcetype=access_* | timechart per_hour(eval(host="wap4*")) AS wap4Count, per_hour(eval(host="wap5*")) AS wap5Count

This doesn't work.

the below one was also close but then it also doesn't work with wild cards..

source=usgs | eval Description=case(depth<=70, "Shallow", depth>70 AND depth<=300, "Mid", depth>300, "Deep") | stats count min(mag) max(mag) by Description

somesoni2 · ‎02-20-2014

Are you looking for something like this:-

sourcetype=access_* | timechart per_hour(eval(host="wap4")) AS wap4Count, per_hour(eval(host="wap5")) AS wap5Count

jibiuthaman · ‎02-20-2014

Any help on this one?
I am not looking to filter but timechart count by host where host can 2 types... one which starts with wap4 and another that starts with wap3...

jibiuthaman · ‎02-18-2014

I am not looking to filter but timechart count by host where host can 2 types... one which starts with wap4* and another that starts with wap3*...

Ayn · ‎02-17-2014

If all you want to do is filter so that you only get events from those two hosts, just add those as search filters in your base search:

sourcetype=access_* host=wap4* host=wap5* | timechart per_hour(eval(method="GET")) AS Views, per_hour(eval(action="purchase")) AS Purchases

...assuming the destination host is in the "host" field. If it's in another field, just use that instead.

jibiuthaman · ‎02-18-2014

want to group wap4* as 1 type of host and wap3* as another type. Don't want individual time chart

somesoni2 · ‎02-18-2014

Just add by host in the timechart.

timechart dynamic fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation