Hi there,
I am (very) new to this, so sorry for the lack of insight.
I have loaded a data set with multiple event type which are qualified by the value of a text in a column. How do I create a search to look for all events which have 'column="value"'? I want to display a time series with data that just matches this criterion.
Just like you said. For a column named "component", you can search for specific values like this: component = Metrics
You can also do various other searches, such as component != Metrics
. You should read up on the search language, a good starting point for you could be the book: http://www.splunk.com/goto/book
Just like you said. For a column named "component", you can search for specific values like this: component = Metrics
You can also do various other searches, such as component != Metrics
. You should read up on the search language, a good starting point for you could be the book: http://www.splunk.com/goto/book
Jeff,
Thanks again. What I found unusual is that I don't actually need to. Here is my search string:
index="main" RealName="ConsolOpen" | timechart span=30m avg(Elapsed _ms)
so it seems that the parentheses suffice for delimiting the field name with a space.
I do find it frustrating that there is no warning or error when I enter something wrong (like Elasped_ms). It should really signal something -I think,
Stan
You don't always need to, but sometimes you have to. The function avg
of timechart
takes a single argument, so it is obvious that there is only one "string" in the parenthesis. A command like table
on the other hand can take more than one argument, and they do not need to be separated by commas (i.e. | table RealName OtherName
is totally legit, althoug you might want to use | table RealName, OtherName
to make it obvious). Therefore, you are required to explicitly surround the arguments with double quotes in these situations (try it: | table RealName Elapsed _ms
should give you a table with three colums, two of them empty).
I can understand that you might be frustrated by always having to be precise, but you'll learn to understand the signs (such as a table with empty colums, or a search that returns no results).
Jeff,
Many thanks for that. Just the pointer I needed. The syntax is new to me and I was looking for enclosing quotes etc. Also, the parser seems to fail silently if I put in an illegal name. My column name was 'Elapsed _ms' (with a space) and I was entering 'Elapsed_ms' - so nothing was appearing.
That book is a great reference.
Thanks again,
Stan
You're welcome. By the way, if you're looking to enclose your search term, use double quotes (useful when they include a space).