Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract static value from timechart?

skoelpin
SplunkTrust
SplunkTrust
‎03-15-2016 07:06 AM

I have a timechart which tracks tax calls per half hour. We have monitoring set up which will hit our web service every 1 minute, there is no way to distinguish between a customer or monitor tax call in that index, it only shows the method and tax call. So I need to subtract 30 from each time slot so I can get rid of the monitoring from our results.

I have an extracted field called Tax which is the name of our web service name (CalculateTax and LookupTax).

Example

BEFORE 

_time                               CalculateTax     LookUpTax
2016-03-14 00:00:00                 143           118
2016-03-14 00:30:00                 151           111
2016-03-14 01:00:00                 103            96
2016-03-14 01:30:00                    125               98

AFTER 

_time                               CalculateTax     LookUpTax
    2016-03-14 00:00:00                 113           88
    2016-03-14 00:30:00                 121           81
    2016-03-14 01:00:00                 73             66
    2016-03-14 01:30:00                    95               68

Here's my current query 

index=vertex7-access   Tax="*" | timechart  count by Tax
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lquinn
Contributor
‎03-15-2016 07:22 AM

You could just add a couple of eval's on the end of your search ...

index=vertex7-access Tax=* | timechart count by Tax | eval CalculateTax = CalculateTax - 30 | eval LookUpTax = LookupTax - 30

Alternatively you could use the foreach command to recalculate both fields at once ...

index=vertex7-access Tax=* | timechart count by Tax | foreach * [eval <<FIELD>>=<<FIELD>>-30]

View solution in original post

Reply
Solved! Jump to solution

javiergn
Super Champion
‎03-15-2016 07:23 AM

Unless I didn't understand your question I would use foreach:

 index=vertex7-access   Tax="*" 
| timechart  count by Tax
| foreach *Tax [eval <<FIELD>>='<<FIELD>>' - 30]
0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-15-2016 08:27 AM

Thanks for your input! The issue I'm having with this is that I made an extracted field called Tax which extracts both CalculateTax and LookUpTax. So that Tax field will have 2 values.. I tried taking this approach below but it did not work. CalculateTax70 and LookUpTaxAreas70 is the name of the web service calls which make up the field Tax 

index=vertex7-access   Tax="*"  | timechart count by Tax | foreach *Tax [eval CalculateTax = CalculateTax70 - 30, LookUpTax = LookUpTaxAreas70 - 30]
0 Karma
Reply
Solved! Jump to solution
Solution

lquinn
Contributor
‎03-15-2016 07:22 AM

You could just add a couple of eval's on the end of your search ...

index=vertex7-access Tax=* | timechart count by Tax | eval CalculateTax = CalculateTax - 30 | eval LookUpTax = LookupTax - 30

Alternatively you could use the foreach command to recalculate both fields at once ...

index=vertex7-access Tax=* | timechart count by Tax | foreach * [eval <<FIELD>>=<<FIELD>>-30]
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-15-2016 07:35 AM

This is very close to what I'm looking for. When I used your first search (The evals) it produced 4 columns.. It had my 2 original tax columns then it had the 2 new columns which were defined int he eval. How do I get rid of the 2 old columns and only keep the 2 new eval columns?

Here's my new search (This is producing an error now)

index=vertex7-access  Tax="*"  | eval CalculateTax = CalculateTax - 30 | eval LookUpTax = LookupTaxAreas - 30 | timechart count by CalculateTax, LookUpTax
0 Karma
Reply
Solved! Jump to solution

lquinn
Contributor
‎03-15-2016 07:43 AM

The evals must go after the timechart command - does it still give you two extra columns then? It shouldn't as you are just replacing the two fields that have already been created - CalculateTax and LookupTax. What were the four columns?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-15-2016 08:13 AM

Yes, this search gave me 4 columns (2 old and 2 new) 

index=vertex7-access Tax=* | timechart count by Tax | eval CalculateTax = CalculateTax - 30 | eval LookUpTax = LookupTax - 30
0 Karma
Reply
Solved! Jump to solution

lquinn
Contributor
‎03-15-2016 08:24 AM

Ok, can you tell me the column names? What did the foreach command give you?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-15-2016 08:32 AM

The column names are 'CalculateTax', 'CalculateTax70', LookUpTax', and 'LookupTaxAreas70'.. The new columns which are correctly subtracting 30 are called 'CalculateTax' and 'LookUpTax'.. So I need to get rid of the other 2 columns

The 2 values which make up the extracted 'Tax' field are called 'CalculateTax70' and 'LookupTaxAreas70'

Here's my query 

index=vertex7-access Tax="*"  | timechart count by Tax | eval CalculateTax = CalculateTax70 - 30 | eval LookUpTax = LookupTaxAreas70 - 30
0 Karma
Reply
Solved! Jump to solution

lquinn
Contributor
‎03-15-2016 08:49 AM

OK well that makes sense why you are getting 4 columns, you are calling the new fields something different. You can just add this to the end of your search...

| fields - CalculateTax70, LookupTaxAreas70

However as somesoni2 said, you are probably better using foreach instead. You don't need to substitute the <> part, just leave it as is.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-15-2016 08:41 AM

I went ahead and tacked on | fields - CalculateTax70, LookupTaxAreas70 at the end of my search and it successfully removed the old columns that I don't want.

I know this is an ugly query and there are better ways of doing it but I don't have a lot of time to doll it up and need a quick fix. Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-15-2016 07:51 AM

The foreach would be better approach as it eliminates hard-coding of column names.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-15-2016 08:15 AM

I do agree on not hardcoding my values, but in this case, these web service calls will not change for a long time so it should be safe. I'll take a foreach approach and see if that works

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...