- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to extract values and make a "timechart span=1...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
I have different device models in A1 and B1 where "A1" is calling device model and B1 is receiving device model and from those, I would like extract values from given fields A1 and B1 then make a timechart span=1day for 7 days .
_time A1 B1
03/13 13:32:04 CSF123 bbb-aaa-11XX-aip11
03/13 14:23:06 TCT454 CSF233
03/14 15:13:06 CSF567 CSF890
question.
1. I would like to extract values only "CSF" and "TCT" not the full model name "CSF123" .
2. and make total count for all "CSF" and "TCT" per day "time chart span=1day"
Thanks in advance,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunkuseradmin try the following search.
<yourCurrentSearchReturingTimeA1B1>
| timechart span=1d count(eval(match(A1,"CSF"))) as "CSFA1" count(eval(match(B1,"CSF"))) as "CSFB1" count(eval(match(A1,"TCT"))) as "TCTA1" count(eval(match(B1,"TCT"))) as "TCTB1" cont=f
| eval CSF=0,TCT=0
| foreach CSF* [| eval CSF=CSF+<<FIELD>>]
| foreach TCT* [| eval TCT=TCT+<<FIELD>>]
| table _time CSF TCT
Following is a run anywhere example based on sample data provided
| makeresults
| eval data="03/13 13:32:04,CSF123,bbb-aaa-11XX-aip11;03/13 14:23:06,TCT454,CSF233;03/14 15:13:06,CSF567,CSF890"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval Time=mvindex(data,0), A1=mvindex(data,1),B1=mvindex(data,2)
| eval _time=strptime(Time,"%m/%d %H:%M:%S")
| table _time A1 B1
| timechart span=1d count(eval(match(A1,"CSF"))) as "CSFA1" count(eval(match(B1,"CSF"))) as "CSFB1" count(eval(match(A1,"TCT"))) as "TCTA1" count(eval(match(B1,"TCT"))) as "TCTB1" cont=f
| eval CSF=0,TCT=0
| foreach CSF* [| eval CSF=CSF+<<FIELD>>]
| foreach TCT* [| eval TCT=TCT+<<FIELD>>]
| table _time CSF TCT
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunkuseradmin try the following search.
<yourCurrentSearchReturingTimeA1B1>
| timechart span=1d count(eval(match(A1,"CSF"))) as "CSFA1" count(eval(match(B1,"CSF"))) as "CSFB1" count(eval(match(A1,"TCT"))) as "TCTA1" count(eval(match(B1,"TCT"))) as "TCTB1" cont=f
| eval CSF=0,TCT=0
| foreach CSF* [| eval CSF=CSF+<<FIELD>>]
| foreach TCT* [| eval TCT=TCT+<<FIELD>>]
| table _time CSF TCT
Following is a run anywhere example based on sample data provided
| makeresults
| eval data="03/13 13:32:04,CSF123,bbb-aaa-11XX-aip11;03/13 14:23:06,TCT454,CSF233;03/14 15:13:06,CSF567,CSF890"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval Time=mvindex(data,0), A1=mvindex(data,1),B1=mvindex(data,2)
| eval _time=strptime(Time,"%m/%d %H:%M:%S")
| table _time A1 B1
| timechart span=1d count(eval(match(A1,"CSF"))) as "CSFA1" count(eval(match(B1,"CSF"))) as "CSFB1" count(eval(match(A1,"TCT"))) as "TCTA1" count(eval(match(B1,"TCT"))) as "TCTB1" cont=f
| eval CSF=0,TCT=0
| foreach CSF* [| eval CSF=CSF+<<FIELD>>]
| foreach TCT* [| eval TCT=TCT+<<FIELD>>]
| table _time CSF TCT
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is "CSF" or "TCT" always the first three characters of A1/B1? Or always the non-digit-part at the beginning of A1/B1?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
