Solved: Am I allowed to do an eval inside a sum when creat...

richkappler · ‎02-09-2018

I've been poking at this for a couple of hours, I think I'm missing something obvious but it's a forest for trees thang.

I have to create 2 dashboards, first is done and tested sat, second uses all of the first except the last line. No, I can't post the exact code. Suffice it to say, I have aggregated 6 fields, a, b, c, x, y, z.

In the first panel, I had to sum a, b, c and then display them in a timechart span=1mon as a stacked bar chart. Works great.

In the second panel I have to sum x, y, z, then take that and subtract it from sum of a, b, c, and present sum of x, y, z and diff (a+b+c) - (x+y+z) in a stacked bar chart, span=1mon.

Here's the line I have to try to do this, but its not presnting any values (nor errors):

| timechart span=1mon sum(eval (sum(a) + sum(b) + sum(c)) as value1) sum(eval (sum(a) + sum(b) + sum(c) - sum(x) - sum(y) - sum(z)) as value2)

Am I allowed to do an eval inside a sum? Is that the issue?

elliotproebstel · ‎02-09-2018

After that first stats call, you don't have any _time fields left, because you didn't carry them through the stats. The timechart command requires a _time field to work.

View solution in original post

elliotproebstel · ‎02-09-2018

After that first stats call, you don't have any _time fields left, because you didn't carry them through the stats. The timechart command requires a _time field to work.

richkappler · ‎02-09-2018

Bloody brilliant, missed that. elliotproebstel, post that as a comment, not a reply so I can accept it. By changing stats to eventstats it works. Thanks!!!

micahkemp · ‎02-09-2018

I don't think @elliotproebstel will mind that I took the liberty of converting the comment to an answer for him.

elliotproebstel · ‎02-09-2018

Thanks, @micah 🙂

gcusello · ‎02-09-2018

Hi richkappler,
are you using Post Process search?
if yes, at the end of the base search you have to insert

| fields list_of_used_fields

if this isn't your problem, try

| bin_time  span=1mon 
| eval value1=a+b+c, value2=a+b+c-x-y-z
| timechart sum(value1) AS value1 sum(value2) AS value2 BY _time

Bye.
Giuseppe

richkappler · ‎02-09-2018

Thanks Giuseppe, that didn't quite work. Here's what I've got now:

| stats sum(x) as X, sum(y) as Y, sum(z) as Z, sum(a) as A, sum(b) as B, sum(c) as C
| eval VALUE_1= X + Y + Z
| eval VALUE_2=A + B + C - VALUE_1
| timechart span=1mon sum(VALUE_1) as VALUE_1 sum(VALUE_2) as VALUE_2

If I leave off that last line, I get the statistics table with all the correct values. Adding the timechart gives me no result.

richkappler · ‎02-09-2018

I see I added too many parens, it's actually this:

| timechart span=1mon sum(eval (sum(a) + sum(b) + sum(c)) as value1 sum(eval (sum(a) + sum(b) + sum(c) - sum(x) - sum(y) - sum(z)) as value2

richkappler · ‎02-09-2018

I now also see why sum(eval (a bunch of sums)) won't work, there's nothing for the outside sum to sum. Not sure how to proceed though.

Am I allowed to do an eval inside a sum when creating dashboards?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk