Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I only show some fields values in my chart?

guillecasco
Path Finder
‎05-26-2016 12:19 PM

I have a search like this:

index=pupi (some rex extractions) |chart count by customer_id, name_EVENTS

which gives me something like:

customer_iD     AP_ERROR  |  AP_OK  |  DOWN_ERROR 
John            50           70        78
Bill thomas     45           25        38
.
.

Thing is that Customer ID field has like 100 different values. I just want a table to show only 6 of them (not with TOP, not arbitrarily) 6 names that I need to choose and show. I tried to put those names in the search with OR "john" OR "Bill" OR "name", but it brings other logs that I don't want. Is this possible to do with eval? something like IF value is "John" show in chart if it is "the ones I want to show" ,show it, else don't show it?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-26-2016 12:22 PM

You need to specify the field name vs doing full text search across all data with the name.

... (customer_id="john" OR customer_id="Bill" OR customer_id="name") ...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

splunkton
Path Finder
‎05-26-2016 12:28 PM

Try this

index=pupi (some rex extractions)|eval wanted=case(Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,Custome_id=JOHN,"OK" ,1=1,"notok"|search wanted="OK" |chart count by customer_id, name_EVENTS

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-26-2016 12:22 PM

You need to specify the field name vs doing full text search across all data with the name.

... (customer_id="john" OR customer_id="Bill" OR customer_id="name") ...

0 Karma
Reply
Solved! Jump to solution

guillecasco
Path Finder
‎05-26-2016 12:45 PM

I did that but it brings me data that i don´t want. Evidently the name i want, are in other kinds of logs, that´s why i´m trying to do it with eval (i don´t know which other way if not)

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-26-2016 01:09 PM

Yeah you can do that with case statement like this:

...| eval AP_ERROR=case(customer_id==john AND otherfield==whatever,AP_ERROR,customer_id==bob AND otherfield==something,AP_ERROR)

What this will do is if the customer_id is john and the otherfield is whatever, AP_ERROR will equal whatever AP_ERROR is in that event, ... and if customer_id is bob and otherfield is something, it will also be whatever AP_ERROR is in that event ... otherwise AP_ERROR will be null. Then when you start adding all these events up, the null values will not count as 0 or anything at all.

case([condition(s)1],"[value if condition1=true]",[condition(s)2],"[value if condition2=true]") ... so on

http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchReference/CommonEvalFunctions

if you want "[value if condition=true]" to be a field's value, just remove the double quotes so that its like this:

case([condition(s)1],fieldname,[condition(s)2],fieldname) ... so on

I hope all that helps

Reply
Solved! Jump to solution

guillecasco
Path Finder
‎05-27-2016 11:04 AM

great thank you my friend

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-27-2016 04:03 PM

You're very welcome!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...