cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ejohn
Path Finder
Member since: ‎08-04-2017
‎06-05-2020
Community Statistics
Posts 11
Solutions 0
Karma Given 14
Karma Received 3
Member Since ‎08-04-2017
Activity Feed
View All

Re: How do I display top 10 values in the Trellis ...

by in Dashboards & Visualizations
‎11-06-2017 03:33 PM
‎11-06-2017 03:33 PM
Oh... ok @niketnilay. I must have entered something wrong the first time, because no results were returning and it worked when I added the limit. I tried all three solutions today with success. Thanks again! ... View more

Re: How do I display top 10 values in the Trellis ...

by in Dashboards & Visualizations
‎11-03-2017 02:43 PM
‎11-03-2017 02:43 PM
Hi @niketnilay. I knew top command was ideal, but I missed adding the by area portion in some attempts, and tried it in conjunction with stats count in others. The grouping portion of my question was just an alternative option for displaying the information, if anyone had ideas. There was a small typo in the solution you provided, but the following displayed exactly what I needed: … |top limit=10 type by area Thanks for the help! ... View more

How do I display top 10 values in the Trellis layo...

by in Dashboards & Visualizations
‎11-03-2017 12:45 PM
‎11-03-2017 12:45 PM
Below is a sample from the end of my search: ... |stats count by area, type |sort -count Using the Trellis layout, split on AREA, six pie charts counting by TYPE are returned. I’d like to display the Top 10 types for each area. If the top command can’t be used, how can I group anything over the first 10 results in an “other” pie segment? ... View more

Re: How do I use a value in an existing field to c...

by in Splunk Search
‎08-10-2017 11:53 AM
1 Karma
‎08-10-2017 11:53 AM
1 Karma
@jkat54 and @woodcock this is my first real attempt a crowdsourcing and I like it! You guys have been awesome! ... View more

Re: How do I use a value in an existing field to c...

by in Splunk Search
‎08-10-2017 11:52 AM
‎08-10-2017 11:52 AM
That worked too! ... View more

Re: How do I use a value in an existing field to c...

by in Splunk Search
‎08-10-2017 11:37 AM
1 Karma
‎08-10-2017 11:37 AM
1 Karma
@jkat54, thanks for the suggestion. I decided to accept the answer with the higher EPS. Adding each eval to the rest of my search against 10 months of logs in Verbose mode: |eval type=case(match(title...) returned 14,190 EPS and |eval type=if(match(title...) returned 13,408 EPS ... View more

Re: How do I use a value in an existing field to c...

by in Splunk Search
‎08-08-2017 11:24 AM
‎08-08-2017 11:24 AM
Once I capitalized summary and detail it worked. Now I know how to account for upper and lower too. Thanks for the help! ... View more

Re: How do I use a value in an existing field to c...

by in Splunk Search
‎08-08-2017 11:18 AM
1 Karma
‎08-08-2017 11:18 AM
1 Karma
I changed * to .* in the eval and it worked! Thanks so much! ... View more

Re: How do I use a value in an existing field to c...

by in Splunk Search
‎08-07-2017 05:39 PM
‎08-07-2017 05:39 PM
Thanks for responding so quickly! This is creating the TYPE field, but it's only returning the value "unknown type". Could this have something to do with special characters in the titles? ... View more

Re: How do I use a value in an existing field to c...

by in Splunk Search
‎08-07-2017 05:35 PM
‎08-07-2017 05:35 PM
Thanks for the quick response! I tried this with * and with .* for wildcards, but I get the following error: Error in 'eval' command: The arguments to the 'searchmatch' function are invalid. ... View more

How do I use a value in an existing field to creat...

by in Splunk Search
‎08-07-2017 01:08 PM
‎08-07-2017 01:08 PM
I'm trying to create a new field called TYPE, which is dependent on the word "summary" or "detail" appearing in the TITLE field, so I can then count by TYPE. I successfully filtered my logs to identify reports with "summary" or "detail" in the title: |search(title="*summary*" OR "*detail*") Then, I tried to create TYPE and set its output values to "Report Summary" or "Detailed Report": |eval type=if(match(title,"*summary*"), "Report Summary", match(title, "*detail*"), "Detailed Report") I also tried doing a field extraction, but the title field does not appear in the Select Fields box to be highlighted. I'm stuck. Please help! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to