Try to use this form if you can, because it's usually most efficient. previousconf field: Name:REQ000004543448-shrepoint. Below one of example from the results from two fields: currentconf field: Name:REQ000004543448-4614240-shrepoint. We support Splunk relative time strings as a valid step increment. We have two fields in the one index, we need to compare two fields then create a new field to show only on it the difference between two fields. If you want to rename fields with similar names, you can use a wildcard character. This command is useful for giving fields more meaningful names, such as 'Product ID' instead of 'pid'. (which halfway does explicitly what timechart does under the hood for you) and see if that is what you want. Description Use the rename command to rename one or more fields. timechart already assigns time to one dimension, so you can only add one other with the by clause. This function can contain up to three arguments: a starting number, an ending number (which is excluded from the field), and an optional step increment, which defaults to 1. The problem is that you cant split by more than two fields with a chart command. If you are trying to take different events and connect them, then you need to use stats, join, lookup, or one of a half dozen other verbs, as appropriate to your use case. This function returns a list for a range of numbers. The answers you are getting have to do with testing whether fields on a single event are equal. action which is giving good result but I need to run the SPL query every time. I think you may be making some incorrect assumptions about how things work. I want to evaluate a field D that has the value of C that corresponds with the min value of B when 0 < B < 4, and A1. Actually, I have created fields and I want to merge two fields into a single field.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |