Welcome

Welcome to Splunk Answers! Not what you were looking for? Refine your search.

I've been poking at this for a couple of hours, I think I'm missing something obvious but it's a forest for trees thang.

I have to create 2 dashboards, first is done and tested sat, second uses all of the first except the last line. No, I can't post the exact code. Suffice it to say, I have aggregated 6 fields, a, b, c, x, y, z.

In the first panel, I had to sum a, b, c and then display them in a timechart span=1mon as a stacked bar chart. Works great.

In the second panel I have to sum x, y, z, then take that and subtract it from sum of a, b, c, and present sum of x, y, z and diff (a+b+c) - (x+y+z) in a stacked bar chart, span=1mon.

Here's the line I have to try to do this, but its not presnting any values (nor errors):

| timechart span=1mon sum(eval (sum(a) + sum(b) + sum(c)) as value1) sum(eval (sum(a) + sum(b) + sum(c) - sum(x) - sum(y) - sum(z)) as value2)

Am I allowed to do an eval inside a sum? Is that the issue?

Comment

I see I added too many parens, it's actually this:

| timechart span=1mon sum(eval (sum(a) + sum(b) + sum(c)) as value1 sum(eval (sum(a) + sum(b) + sum(c) - sum(x) - sum(y) - sum(z)) as value2

Accepted Answer

After that first `stats`

call, you don't have any _time fields left, because you didn't carry them through the stats. The `timechart`

command requires a `_time`

field to work.

Bloody brilliant, missed that. elliotproebstel, post that as a comment, not a reply so I can accept it. By changing stats to eventstats it works. Thanks!!!

Hi richkappler,

are you using Post Process search?

if yes, at the end of the base search you have to insert

```
| fields list_of_used_fields
```

if this isn't your problem, try

```
| bin_time span=1mon
| eval value1=a+b+c, value2=a+b+c-x-y-z
| timechart sum(value1) AS value1 sum(value2) AS value2 BY _time
```

Bye.

Giuseppe

Thanks Giuseppe, that didn't quite work. Here's what I've got now:

| stats sum(x) as X, sum(y) as Y, sum(z) as Z, sum(a) as A, sum(b) as B, sum(c) as C

| eval VALUE_1= X + Y + Z

| eval VALUE_2=A + B + C - VALUE_1

| timechart span=1mon sum(VALUE_1) as VALUE_1 sum(VALUE_2) as VALUE_2

If I leave off that last line, I get the statistics table with all the correct values. Adding the timechart gives me no result.

Use this widget to see the actions stream for the question.

Get actions

**Tags:**

evaltimechartdashboard

**Asked:** Feb 09 at 08:13 AM

**Seen:** 120 times

**Last updated:** Feb 9, '18

Get actions

evaltimechartdashboard

Copyright © 2005-2018 Splunk Inc. All rights reserved.

- Anonymous
- Sign in
- Create
- Ask a question
- Upload an App
- Explore
- Tags
- Answers
- Apps
- Users
- Badges

28 ● 2 ● 1 ● 5