- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- is there a command that can do the same work of sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Folks,
I'm unable to pass a variable to span (e.i span=duration s) where duration is an integer.
Is there a command that can do what i want? or is there a way to do what i need with span.
thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on at least what and where you want to archive this another approach could be to use the map command like this:
| stats count as param | eval param=600 | map search="search index=_internal | head 1000 | timechart span=$param$s count"
Note: If you use this search within a dashboard you have to "escape" the $ with $$, which would look like this ... span=$$param$$s .... This is because dashboard tokens look just the same: $someDashboardToken$.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on at least what and where you want to archive this another approach could be to use the map command like this:
| stats count as param | eval param=600 | map search="search index=_internal | head 1000 | timechart span=$param$s count"
Note: If you use this search within a dashboard you have to "escape" the $ with $$, which would look like this ... span=$$param$$s .... This is because dashboard tokens look just the same: $someDashboardToken$.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use a macro.
Define the macro like this (I'll use config files since that is faster for me).
[timechartSpan(3)]
args = tcSpanField, tcSpanTime, args
definition = timechart span=$tcSpanField$$tcSpanTime$ $args$
Then in your search, you can do this:
<your_search> | `timechartSpan(duration,"s", "count by host")`
Assuming your "duration" is 600, this should expand to:
<your_search> | timechart span=600s count by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help.
I have define the maco in macro.conf in C:\Program Files\Splunk\etc\apps\search\default and I've even restart splunk .But when i lunch my search that is :
index=_internal| timechartSpan(duration,"s", "count by host")
i have this error:
Error in 'SearchParser': Missing a search command before '''. Error at position '23' of search query 'search index=_internal|'timechartSpan(duration,"s"'.
I will like to do it through macro. can you please tell me what i missed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe you did this:
In order to call a defined macro you have to use a certain type of quotation marks: `
http://en.wikipedia.org/wiki/Grave_accent
Moreover you should use meaningful params. e.g.:
index=_internal| `timechartSpan(600,"s", "count by host")`
As for me, I would make the makro a bit slimmer:
[timechartSpan(2)]
args = timespanvalue, args
definition = timechart span=$timespanvalue$ $args$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help.
I've use the grave accent as you did it works with the param 600.
BUT my initial problem remain:
At the place where you have 600 i want to have a variable(duration) that i compute earlier. So i want a search like this to work:
index=_internal|eval duration=600|timechartSpan(duration,"s", "count by host")
I'm using this macro definition:
[timechartSpan(3)]
args = tcSpanField, tcSpanTime, args
definition = timechart span=$tcSpanField$$tcSpanTime$ $args$
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
