- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get a timechart with a backup source in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have two different sourcetypes that I can graph like this:
eventtype=mlc sourcetype=lts_timings host=X | eval details=task_name."; ".duration_seconds." seconds" | timechart count(duration_seconds) by details limit=0
eventtype=mlc sourcetype=lts-histo host=X | timechart count(task_name) by task_name limit=0
Sometimes the log file driving the first one does not get produced, and in this case, I would use the second one as a backup. The reason is that the second one is always produced, but the first has more information (the duration_seconds field). Is there a way to achieve this logic in one graph? Ideally I would like to write a single search saying something like this:
if_empty(eventtype=mlc sourcetype=lts_timings host=X) {
eventtype=mlc sourcetype=lts-histo host=X | timechart count(task_name) by task_name limit=0
}
else {
eventtype=mlc sourcetype=lts_timings host=X | eval details=task_name."; ".duration_seconds." seconds" | timechart count(duration_seconds) by details limit=0
}
Thanks for reading!
John
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try below. You might need to adjust a bit to accommodate all your conditions
eventtype=mlc (sourcetype= lts_timings OR sourcetype=lts-histo) host=X
|eval details=if(isnull(duration_seconds),task_name,task_name."; ".duration_seconds." seconds")
|eval dur_task=if(isnull(duration_seconds),task_name,duration_seconds)
|timechart count(dur_task) by details limit=0
or use coalesce ..
Refer here http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/CommonEvalFunctions
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try below. You might need to adjust a bit to accommodate all your conditions
eventtype=mlc (sourcetype= lts_timings OR sourcetype=lts-histo) host=X
|eval details=if(isnull(duration_seconds),task_name,task_name."; ".duration_seconds." seconds")
|eval dur_task=if(isnull(duration_seconds),task_name,duration_seconds)
|timechart count(dur_task) by details limit=0
or use coalesce ..
Refer here http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/CommonEvalFunctions
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's very helpful, thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @johnraftery
If @renjith.nair's answer solved your question, don't forget to click "Accept" directly below the answer to resolve this post.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
