Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I add an additional calculation to a chart?

andrewtrobec
Motivator
‎11-21-2016 02:53 PM

Hello,

I have two separate chart calculations that I would like to combine into a single chart. The first is an avg calculation on a field grouped by two fields while the second is a distinct_count calculation on another field grouped by one field. So assuming a have four different fields, the two separate chart commands are:

chart avg(FIELD1) by FIELD2, FIELD3
chart distinct_count(FIELD4) by FIELD2

I am trying to combine them so that the distinct_count ends up as the final column of the generated table. I have tried using:

chart avg(FIELD1) distinct_count(FIELD4) by FIELD2, FIELD3

but all that accomplishes is splitting the distinct_count over FIELD3 as well, which is what I don't want.

Is there a way of combining the two so that the distinct_count appears as a column at the end being grouped by FIELD2?

Thank you!

Andrew

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 04:12 PM

Try this

*UPDATED*

.... | eventstats dc(field4) as dc_f4 by field2 | eval field2= field2."#".dc_f4 | chart avg(field1) as average over field2 by field3 | rex field=field2 "(?<field2>[^#]+)#(?<distinct_count>.*)"

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 04:12 PM

Try this

*UPDATED*

.... | eventstats dc(field4) as dc_f4 by field2 | eval field2= field2."#".dc_f4 | chart avg(field1) as average over field2 by field3 | rex field=field2 "(?<field2>[^#]+)#(?<distinct_count>.*)"
Reply
Solved! Jump to solution

lnn2204
Path Finder
‎10-15-2021 07:54 PM

Hi Sundareshr, i got this problem, i want to add value 1 to 2 and remove the Shift0, do you have any solution? ThanksUntitled.png

0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎11-21-2016 10:25 PM

Hello sunhareshr. This works, but adds a new column for each value of FIELD3 instead of just adding one. There is no difference between 

.... | eventstats dc(field4) as dc_f4 by field2 | chart avg(field1) as average values(dc_f4) as dist_count over field2 by field3

and

.... | eventstats dc(field4) as dc_f4 by field2 | chart avg(field1) as average values(dc_f4) as dist_count by field2, field3

any ideas?

Thanks!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 12:53 AM

Try the updated query

0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎11-22-2016 03:26 AM

Thanks, this works! I will do some reverse engineering to figure out the logic behind it. I appreciate your help!

0 Karma
Reply
Solved! Jump to solution

bshuler_splunk
Splunk Employee
Splunk Employee
‎11-21-2016 03:01 PM 
somesearch | chart avg(FIELD1) by FIELD2, FIELD3 | append [search somesearch | chart distinct_count(FIELD4) by FIELD2]
0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎11-21-2016 10:18 PM

Thanks bshuler. The append command adds a new column to the chart, but the values are appended at the bottom as an entire new table. So basically the first half of the table is

chart avg(FIELD1) by FIELD2, FIELD3

with the distinct_count column blank, while the second half of the table is

chart distinct_count(FIELD4) by FIELD2

with all the avg columns blank.

Any ideas?

Thanks!

Andrew

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...