Solved: Why am I not getting the expected output with my c...

chanduira · ‎01-07-2016

Hi Experts,

I want to create a trend of UPS load over time.
I can get a UPS overtime trend by getting the sum of three phase inputs (with average of each phase) (ABC_PH1_UPS1_L1_OUTPWR, ABC_PH1_UPS1_L2_OUTPWR, & ABC_PH1_UPS1_L3_OUTPWR)

While I am doing timechart, I am not getting any output:

index=abc sourcetype=csv ABC_PH1_UPS1_*_OUTPWR | stats avg(Parameter Value) as Value by "Meter Name"| replace ABC_PH1_UPS1_L1_OUTPWR with UPS1, ABC_PH1_UPS1_L2_OUTPWR with UPS1, ABC_PH1_UPS1_L3_OUTPWR with UPS1 in "Meter Name"| timechart sum(Value) as Val by "Meter Name"

fdi01 · ‎01-07-2016

try whith "..." like:
...| stats avg("Parameter Value") as Value by "Meter Name"|...

View solution in original post

chanduira · ‎01-20-2016

I tried with addcols option its working

fdi01 · ‎01-07-2016

try whith "..." like:
...| stats avg("Parameter Value") as Value by "Meter Name"|...

javiergn · ‎01-07-2016

I've got a feeling that you need double quotes when calculating the avg of Parameter Value:

index=abc sourcetype=csv ABC_PH1_UPS1_*_OUTPWR | stats avg('Parameter Value') as Value by "Meter Name"| replace ABC_PH1_UPS1_L1_OUTPWR with UPS1, ABC_PH1_UPS1_L2_OUTPWR with UPS1, ABC_PH1_UPS1_L3_OUTPWR with UPS1 in "Meter Name"| timechart sum(Value) as Val by "Meter Name"

martin_mueller · ‎01-07-2016

Referring to a field name with nonstandard characters needs single quotes in eval, double quotes in stats - double quotes in eval give you a string.

That being said, avg(Parameter Value) is indeed not going to work, double quotes are needed.

javiergn · ‎01-07-2016

True, i'll fix my answer, thanks

Why am I not getting the expected output with my current search?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life