- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Question on basic subtraction in time charts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Per below- my Total Configured_Space & Free_Space work great.
timechart eval(sum(Logical_Capacity_Blocks) / 2097152000) as Configured_Space,eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space, eval(Configured_Space - Free_Space)
Now I'd like to have a listing of consumed space in my chart which means I really need
to subtract Free_Space from Configured_Space & I've tried several variations which
dont really work.
keep getting
Error in 'timechart' command: The eval expression has no fields: 'WDC_Configured_Space - Free_Space'
I've found the doc's page & it never really comes out & says how to subtract.
http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Eval
What is the correct syntax to do subtraction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Clintla
well I can fire up your command like this:
* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space
it runs without any error and brings up an result.
cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Clintla
well I can fire up your command like this:
* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space
it runs without any error and brings up an result.
cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, That works... I feel like I got what I asked for & not what I wanted. I used a , instead of a pipe.
Not really sure why there is not more documentation on
Do's & donts.
I'd like to have a graph of used/free space but the above
throws in total space which messes up the graph.
try things like
source="OSDC" | timechart eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval Consumed_space = eval(sum(Logical_Capacity_Blocks) / 2097152000) - Free_Space
& it tells me SUM is not supported. puzzling.
other tries- says no fields.
I'll try some more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi clintla
have you tried the following eval?
eval consumed_space = Configured_Space - Free_Space
regrads
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi i also got the same error
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think so. Get this error
Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
