![]() ![]() If this reply helps you, an upvote/like would be appreciated. index=indexname sorcetype=sourcetypename NOT NOT If the field name that you specify does not match a field in the output, a new field is added to the search results. Im operating under the assumption that were working with these two fields for this search: 1. I just inherited a small Splunk install at my new job and my sales rep suggested I check our Reddit I have 2 different sources in the same index file. Description The eval command calculates an expression and puts the resulting value into a search results field. ![]() (indexfoo1 some other search for record with field1) OR (indexfoo2 some other search for records with field2) fields index field1 field2 whatever you need from either record eval matchfieldcoalesce (field1,field2) stats values () as. index=index NOT NOT įor your question, if you want the same query to filter values for 2 fields, you can create a macro and use it in your search.ĭefinition = | makeresults | eval filter="splunk|microsoft|dell|apple" | eval filter=split(filter, "|") | mvexpand filter | strcat "*" filter "*" filter| eval $fieldname$=filter| fields - filter| formatĢ. Need to combine 2 different fields into 1, but from different data sources. Try to use this form if you can, because its usually most efficient. My initial idea was to have individual eventtypes for each operations value. Im trying to export each value of the operations field into distinct fields per value. There are 39 unique values, each with its own unique set of fields. Now these rows can be displayed in a column or pie chart where you can compare the values. The data in field AuditDatakeys in unique based on the values in a field called operations. sourcetypeaccess status200 stats count AS views count (eval (action'addtocart')) AS addtocart count (eval (action'purchase')) AS purchases transpose. Hi fields name and "short name" part of your index then you can filter them in the main search only. Use the transpose command to convert the columns of the single row into multiple rows. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |