Solved: How to create a timechart from calculated value?

balendra · ‎03-21-2017

Hello I have a search to plot the calculated value over time. However the search is not working as expected.

| eval Output1 = Value1 * 10
| eval Output2 = ((10 * (Value2)) + Output1)
| timechart span=1m values(Output2)  by host

The above search is not plotting the Output2 value graph. If I just change the value for Output1 in eval Output2 then it works i.e.

| eval Output2 = ((10 * (Value2)) + 10)

Is there any other way to timechart calculated value?

somesoni2 · ‎03-21-2017

I would try like this

| eval Output1 = 'Value1'*10
 | eval Output2 = ((10*'Value2') + 'Output1')
 | timechart span=1m values(Output2)  by host

The values function may give multivalued field if your data coming multiple times in a minute and nothing will be plotted. If that is the case you may want to different function here (min, max, avg, sum etc instead of values).

View solution in original post

somesoni2 · ‎03-21-2017

I would try like this

| eval Output1 = 'Value1'*10
 | eval Output2 = ((10*'Value2') + 'Output1')
 | timechart span=1m values(Output2)  by host

The values function may give multivalued field if your data coming multiple times in a minute and nothing will be plotted. If that is the case you may want to different function here (min, max, avg, sum etc instead of values).

balendra · ‎03-21-2017

Since the data is coming every minute with the values function there was no data. And I changed to the below query and its working now.

| eval Output1 = 'Value1'*10
| eval Output2 = (10*'Value2')
| timechart span=1m perc90(Output2) eval(avg(Ouput1) + avg(Output2)) as total_out by host

Thanks somesoni2

balendra · ‎03-21-2017

Output1 field is numeric too.
| eval Output1 = Value1 - 10

asimagu · ‎03-21-2017

could you doublecheck the format of your fields to be numeric?

How to create a timechart from calculated value?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!