Solved: Re: Timechart add value that doesn't appear in log

gnoellbn · ‎09-18-2013

Hello,

I'm trying to add a value to my timechart which doesn't appear in my log.

That search gives me my graph but I would like to add a field "MaxQuota" equals to 5

index=_internal source="/opt/splunk/var/log/splunk/license_audit.log" | timechart values(quotaExceededCount) |

Does anyone now how to do this ?

Thanks

gfuente · ‎09-18-2013

Hello

Just try this:

index=_internal source="/opt/splunk/var/log/splunk/license_audit.log" | eval MaxQuota="5" | timechart values(quotaExceededCount), last(MaxQuota)

This will give you a horizontal line in the chart as well as your previous data.

regards

gfuente · ‎09-18-2013

Hello

Just try this:

index=_internal source="/opt/splunk/var/log/splunk/license_audit.log" | eval MaxQuota="5" | timechart values(quotaExceededCount), last(MaxQuota)

This will give you a horizontal line in the chart as well as your previous data.

regards

gfuente · ‎09-18-2013

Easy one 🙂

gnoellbn · ‎09-18-2013

that's simple enough, I though "eval" would only take actual fields
thanks a lot 🙂

Timechart add value that doesn't appear in log