Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- transform command after timechart?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dyeo
Engager
04-27-2019
10:43 AM
Is it possible to do an eval after using timechart? I want to modify the count values in column A by dividing those values by 10. My query below is not performing the operator on column A.
(index=Wineventlog sourcetype="WinEventLog:security" EventCode=4740 OR (action=failure EventCode=4625 host=eee OR host=xyz) OR (host=asd (EventCode=516 OR EventCode=411) NOT clientIP=10.10.10.10) NOT user="-") OR (index=fff action=failure)
| eval output=coalesce(userMsg, lockoutUser, user, sAMAccountName)
| eval descrip=case(EventCode=4625, "A", EventCode=4740, "B", EventCode=411, "C", EventCode=516, D", EventCode="AVEN-FAIL", "E")
| timechart span=1h dc(output) as count by descrip
|eval count=if(descrip="A", count/10, count)
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
04-27-2019
11:02 AM
quick and dirty 2 steps process will be something like that:
(index=Wineventlog sourcetype="WinEventLog:security" EventCode=4740 OR (action=failure EventCode=4625 host=eee OR host=xyz) OR (host=asd (EventCode=516 OR EventCode=411) NOT clientIP=10.10.10.10) NOT user="-") OR (index=fff action=failure)
| eval output=coalesce(userMsg, lockoutUser, user, sAMAccountName)
| eval descrip=case(EventCode=4625, "A", EventCode=4740, "B", EventCode=411, "C", EventCode=516, D", EventCode="AVEN-FAIL", "E")
| bin span=1h _time
| stats dc(output) as unique_output by descrip _time
| eval unique_output = if(descrip=="A", unique_output/10, unique_output)
| timechart span=1h sum(unique_output) as tot_count by descrip
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
04-27-2019
11:02 AM
quick and dirty 2 steps process will be something like that:
(index=Wineventlog sourcetype="WinEventLog:security" EventCode=4740 OR (action=failure EventCode=4625 host=eee OR host=xyz) OR (host=asd (EventCode=516 OR EventCode=411) NOT clientIP=10.10.10.10) NOT user="-") OR (index=fff action=failure)
| eval output=coalesce(userMsg, lockoutUser, user, sAMAccountName)
| eval descrip=case(EventCode=4625, "A", EventCode=4740, "B", EventCode=411, "C", EventCode=516, D", EventCode="AVEN-FAIL", "E")
| bin span=1h _time
| stats dc(output) as unique_output by descrip _time
| eval unique_output = if(descrip=="A", unique_output/10, unique_output)
| timechart span=1h sum(unique_output) as tot_count by descrip
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dyeo
Engager
04-27-2019
11:58 AM
Thanks for your help!
Get Updates on the Splunk Community!
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
