I am using a search command of sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(type) as Incident count(current_summary) as Rain.
I had current_summary and type, which I needed only the Rain from current_summary and Accident from type in both sources using the search query. Anyway I can do it ?
Did you read the timechart docs? You can specify which field values you are interested in using eval statements. So something like this should work:
sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(eval(type=="Accident")) as Incident, count(eval(current_summary=="Rain")) as Rain
Did you read the timechart docs? You can specify which field values you are interested in using eval statements. So something like this should work:
sourcetype=CurrentWeatherSGMap OR sourcetype=ltaTraffic | timechart count(eval(type=="Accident")) as Incident, count(eval(current_summary=="Rain")) as Rain
Kk, i am just double checking 😃 I am only not sure about the two sourcetype. Thanks ! Eval is what i needed 😃
Uh...well yes. That's kind of basic search filtering functionality. If you're unsure about those kind of things I advise you to take the Splunk tutorial.
Consider that both sourcetype have these location fields extracted.
What if i got another field called location and I need the location of "PIE" for example? Only display result for PIE, how can i do that ? Put at by location=PIE ?
Yes ! Against the same location !
So the desired result would be a graph with two lines - one for occurrences of rain and one for occurrences of accidents?
I wanted to do a search for Rain and Accident on a timechart showing how rain affects more accidents (correlation of weather and traffic accidents). However the Accident is in Type and Rain is in current_summary. I need to do a count for number of times it rains on a specific location then count for accidents on the same location then plot it on a timechart.
OK, but I have no idea what your desired result is (same issue as in your partner's more or less identical question). What exactly are you trying to do? What is the desired end result?
I have edited the question. Check it out 😃
xmlkv is used for performing field extraction on certain XML formatted data. Not sure how it would be relevant in your scenario.