Solved: help to values many fields in timechart command

jip31 · ‎02-18-2020

hi

i use the search below for displaying a timechart
as you can see, the timechart is sorted by host

`toto` 
    earliest=-5d latest=now 
| lookup test.csv HOSTNAME as host output SITE MODEL 
| timechart avg(BootTime) as "Boot time" by host limit=10 useother=false

but I also need to values the fields SITE and MODEL in order to have for an host, the avg(BootTime), the SITE and the MODEL
Something like :

    | timechart avg(BootTime) as "Boot time" by host SITE MODEL

How to do for values other fields with a timechart command please???

to4kawa · ‎02-18-2020

....
|eval tmp=host.":".SITE.":".MODEL
| timechart avg(BootTime) as "Boot time" by tmp
| rex field=tmp "(?<host>\S+?):(?<SITE>\S+?):(?<MODEL>\S+)"
| fields - tmp

View solution in original post

to4kawa · ‎02-18-2020

....
|eval tmp=host.":".SITE.":".MODEL
| timechart avg(BootTime) as "Boot time" by tmp
| rex field=tmp "(?<host>\S+?):(?<SITE>\S+?):(?<MODEL>\S+)"
| fields - tmp

jip31 · ‎02-18-2020

It doesnt works
if I am doing | search SITE=* OR MODEL=* I have no results
And i also need to display the timechart by host
Actually instead host I have "NULL"

to4kawa · ‎02-18-2020

@jip31

Of course you do the query after the lookup, right?

it doesn't works
You say this and you know the cause and what to do?

jip31 · ‎02-18-2020

yes after the lookup
and i dont know why | search SITE=* OR MODEL=* doesnt works

to4kawa · ‎02-19-2020

| search SITE=* OR MODEL=* is unnecessary.

help to values many fields in timechart command

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!