![]() Eventually, I would put them all on the same graph, so that I have a line graph where each line represents a carrier, the x-axis is time and the y-axis is error value. I want to see a graph of the errors for carrier 1 over time. So as events like this come in, the error for carrier 1 will fluctuate. If you do not specify a field, the value is replaced in all non-generated fields. Does not replace values in fields generated by stats or eval functions. My ultimate goal is to have a graph of errors by carrier, which means that the carrier and error need to be related across events. Replaces field values in your search results with the values that you specify. Now that I am trying the next step (graphing it), I have a feeling that this might have been the wrong route. If you ignore multivalue fields in your data, you may end up with missing. Multivalue fields can also result from data augmentation using lookups. However, for events such as email logs, you can find multiple values in the To and Cc fields. Complex queries involve the pipe character, which feeds the output of the previous query into the next. When working with data in the Splunk platform, each event field typically has a single value. For example: 'field1','field2','field3value1,field3value2,field3value3'. Begin by specifying the data using the parameter index, the equal sign, and the data index of your choice: indexindexofchoice. It correctly splits out the carriers and errors into multiple values. Certain fields can have multiple values, wherein the values are separated only by a comma but quotes enclose only the entire list of fields. I can see the correct values (and multiple values) when I view the events. This was too long to put in the comments, so am posting it here: My end result would then be a graph with all the carriers showing the error values over time. ![]() Thank you Splunk For example, suppose in the 'errorcode' field that you want to locate only the codes 400, 402, 404, and 406. How do I get both the fields 'carrier' and 'error' to be multi-value and then get it to pick up all the values? TIPS
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |