Solved: Re: How to edit my chart search to select the ear...

akazarov · ‎06-18-2015

Hello,

In my chart command, I'd like to select events satisfying some criteria. For example I can do:

chart  count(eval(field1=avalue))) by field2

but instead of count() I'd like to select an earliest event and extract a field value

chart  value(field3, earliest(eval(field1=avalue))) by field2

Is there a way to implement this, without complicated subsearches?

For example, my data is like

A=1 B=0 C=2
A=2 B=0 C=2
A=2 B=1 C=2
A=1 B=1 C=3

Then I call

chart value(A,earliest(B=1)) as D by C

and get

C=2 D=2
C=3 D=1

akazarov · ‎06-19-2015

OK, I managed to do this with additional eval:

| eval f1condition=case(field1=avalue, field3) | chart earliest(f1condition) as earliest_field3 by field2

View solution in original post

akazarov · ‎06-19-2015

OK, I managed to do this with additional eval:

| eval f1condition=case(field1=avalue, field3) | chart earliest(f1condition) as earliest_field3 by field2

woodcock · ‎06-18-2015

Like this?

... | chart earliest(field3) by field2

alacercogitatus · ‎06-18-2015

Ok, so you may need to define what you are looking to do more clearly. Can you provide sample data and maybe an example of output you would like to see from that data?

akazarov · ‎06-18-2015

added an example to the question. thanks!

How to edit my chart search to select the earliest event and extract a field value?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector