operations on field values within multiple rows of...

trailhead26 · ‎06-16-2014

I have one source and I need to use the field values from multiple rows to come up with an average. I have the data already indexed by _time. The data is like this.

1:00:00 field1=value1 field2=value2
1:00:00 field1=value3 field2=value4
1:00:00 field1=value5 field2=value6

this repeats every 30 seconds. I need to calculate as follows for every 30 second span

(value2 + value4)/value6

I have tried using append, but I can't figure out how to use the renamed values of "field2" to perform the operation I need to do and then visualize the data.

martin_mueller · ‎06-16-2014

Okay, based on the assumptions in the comments you can do this:

index=foo sourcetype=bar | eval value2 = case(field1=value1, field2) | eval value4 = case(field1=value3, field2) | eval value6 = case(field1=value5, field2) | stats values(value*) as value* by _time | eval result = (value2 + value4) / value6 | timechart span=30s avg(result)

trailhead26 · ‎06-16-2014

never mind, typo. I got it now. Thanks for your help.

martin_mueller · ‎06-16-2014

You can leave off the final timechart and see if the intermediate values are calculated correctly.

trailhead26 · ‎06-16-2014

Thanks!
I don't think anything is being calculated in result. Is there a way to test that part?
My result always comes up blank

trailhead26 · ‎06-16-2014

that is correct

martin_mueller · ‎06-16-2014

I see. Is it certain that these three events have the exact same timestamp and there is only one set of three for each timestamp?

trailhead26 · ‎06-16-2014

by the values of field1

martin_mueller · ‎06-16-2014

How do you identify the three different rows and their meaning?

operations on field values within multiple rows of the same source

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!