Splunk Search

calculating values in new rows/columns and appending based on values in existing rows/columns

HattrickNZ
Motivator

I have something like this in the stats view in splunk.

field   NE1 NE1-L   NE2 NE2-1   field-alt
KPI1    30251   125000  22761   126000  KPI1-alt
KPI2    8809    38000   5875    38000   KPI2-alt
KPI3    212130  300000  229172  300000  KPI3-alt
KPI4    107965  160000  111798  160000  KPI4-alt
KPI5    83045   100000  42984   60000   KPI5-alt
KPI6    83229   100000  43081   60000   KPI6-alt

the query is rather long and contrived and looks something like:

index=core host=... | 
stats  ... | untable userLabel field value | xyseries field userLabel value | 
appendcols [
search index=core ... | 
stats max| 
untable subname field value | 
xyseries field subname value | 
rename field as field1 | 
]

What I want to do is add further columns to the right that are basically doing a arithmetic operation on the values in the row/columns to the left, giving something like:

field   NE1 NE1-L   NE2 NE2-1   field-alt   field2      filed3
KPI1    30251   125000  22761   126000  KPI1-alt    NE1/NE1-L   NE2/NE2-L
KPI2    8809    38000   5875    38000   KPI2-alt    NE1/NE1-L   NE2/NE2-L
KPI3    212130  300000  229172  300000  KPI3-alt    NE1/NE1-L   NE2/NE2-L
KPI4    107965  160000  111798  160000  KPI4-alt    NE1/NE1-L   NE2/NE2-L
KPI5    83045   100000  42984   60000   KPI5-alt    NE1/NE1-L   NE2/NE2-L
KPI6    83229   100000  43081   60000   KPI6-alt    NE1/NE1-L   NE2/NE2-L

How Can I achieve this?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can add this to the end of your search:

... | eval field2 = NE1/'NE1-L' | eval field3 = NE2/'NE2-L'

Note, you have to single-quote fields that contain a minus sign to avoid Splunk trying to subtract L from NE1... try not using fields that contain operators in their name to ease further computing.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You can add this to the end of your search:

... | eval field2 = NE1/'NE1-L' | eval field3 = NE2/'NE2-L'

Note, you have to single-quote fields that contain a minus sign to avoid Splunk trying to subtract L from NE1... try not using fields that contain operators in their name to ease further computing.

HattrickNZ
Motivator

tks too easy 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...