Solved: timechart dynamic fields

jibiuthaman · ‎02-17-2014

Took the below example from documentation....

Chart a single day's views and purchases at the Buttercup Games online store.

sourcetype=access_* | timechart per_hour(eval(method="GET")) AS Views, per_hour(eval(action="purchase")) AS Purchases

Want to do something similar but need to timechart count for all the events to host=wap4* and to host=wap5*

Don't want a side by side chart...

somesoni2 · ‎02-20-2014

Try this

sourcetype=access_* | timechart per_hour(eval(LIKE(host,"wap4%"))) AS wap4Count, per_hour(eval(LIKE(host,"wap5%"))) AS wap5Count

Note that * is replaced by %

View solution in original post

somesoni2 · ‎02-21-2014

Great.. I have converted my comment as answer. Please accept the answer if there are no followup question.

jibiuthaman · ‎02-20-2014

Cool... it works!!!!

somesoni2 · ‎02-20-2014

Try this

sourcetype=access_* | timechart per_hour(eval(LIKE(host,"wap4%"))) AS wap4Count, per_hour(eval(LIKE(host,"wap5%"))) AS wap5Count

Note that * is replaced by %

jibiuthaman · ‎02-20-2014

I hope you are able to see the * after wap4 and wap5

jibiuthaman · ‎02-20-2014

close... but what i want to do is
sourcetype=access_* | timechart per_hour(eval(host="wap4*")) AS wap4Count, per_hour(eval(host="wap5*")) AS wap5Count

This doesn't work.

the below one was also close but then it also doesn't work with wild cards..

source=usgs | eval Description=case(depth<=70, "Shallow", depth>70 AND depth<=300, "Mid", depth>300, "Deep") | stats count min(mag) max(mag) by Description

somesoni2 · ‎02-20-2014

Are you looking for something like this:-

sourcetype=access_* | timechart per_hour(eval(host="wap4")) AS wap4Count, per_hour(eval(host="wap5")) AS wap5Count

jibiuthaman · ‎02-20-2014

Any help on this one?
I am not looking to filter but timechart count by host where host can 2 types... one which starts with wap4 and another that starts with wap3...

jibiuthaman · ‎02-18-2014

I am not looking to filter but timechart count by host where host can 2 types... one which starts with wap4* and another that starts with wap3*...

Ayn · ‎02-17-2014

If all you want to do is filter so that you only get events from those two hosts, just add those as search filters in your base search:

sourcetype=access_* host=wap4* host=wap5* | timechart per_hour(eval(method="GET")) AS Views, per_hour(eval(action="purchase")) AS Purchases

...assuming the destination host is in the "host" field. If it's in another field, just use that instead.

jibiuthaman · ‎02-18-2014

want to group wap4* as 1 type of host and wap3* as another type. Don't want individual time chart

somesoni2 · ‎02-18-2014

Just add by host in the timechart.

timechart dynamic fields

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...