Splunk Search

How to get timechart to work in a search with multiple calculations

Tylerdygert
Path Finder

Hello, I am trying to make a timechart for my field "finalProfit" in the search below.
I have tried doing timechart per_hour(finalProfit), eval commands in my timechart search, and a number of other options but I'm having no luck.
If anyone can help me reorganize the search to work with the timechart command I would greatly appreciate it. Thanks!

 index=main sourcetype=marketapi
| foreach name [ eval baseprice = pricePerOne]
| eval savageDraught = case(name=="Wolf Blood", baseprice *4, name=="Blue Umbrella Mushroom", baseprice *4, name=="Bottle of River Water", baseprice *4, name=="Weeds", baseprice *1, name=="Monk's Branch", baseprice *16, name=="Moss Tree Sap", baseprice *16, name=="Powder of Darkness", baseprice *2, name=="Powder of Flame", baseprice *10, name=="Powder of Time", baseprice *6, name=="Red Tree Lump", baseprice *10, name=="Sky Blue Flower", baseprice *2, name=="Spirit's Leaf", baseprice *2, name=="Sunrise Herb", baseprice *1, name=="Thuja Sap", baseprice *12, name=="Violet Flower", baseprice *2, name=="Volcanic Umbrella Mushroom", baseprice *2)
| eval savageDraught = savageDraught/2.5
| search savageDraught!=''
| eval hammertime=_time
| bucket span=1h hammertime
| stats sum(savageDraught) AS craftedCost by hammertime
| appendcols
    [search index=main sourcetype=marketapi name="Savage Draught" 
    | eval Time=_time
    | eval purchaseCost = pricePerOne ]
| eval profit=purchaseCost - craftedCost - 100000
| eval finalProfit=profit*.85
0 Karma

Tylerdygert
Path Finder

I managed to get this work by using this search:

index=main sourcetype=marketapi
| foreach name [ eval baseprice = pricePerOne]
| eval savageDraught = case(name=="Wolf Blood", baseprice 4, name=="Blue Umbrella Mushroom", baseprice *4, name=="Bottle of River Water", baseprice *4, name=="Weeds", baseprice *1, name=="Monk's Branch", baseprice *16, name=="Moss Tree Sap", baseprice *16, name=="Powder of Darkness", baseprice *2, name=="Powder of Flame", baseprice *10, name=="Powder of Time", baseprice *6, name=="Red Tree Lump", baseprice *10, name=="Sky Blue Flower", baseprice *2, name=="Spirit's Leaf", baseprice *2, name=="Sunrise Herb", baseprice *1, name=="Thuja Sap", baseprice *12, name=="Violet Flower", baseprice *2, name=="Volcanic Umbrella Mushroom", baseprice *2)
| eval savageDraught = savageDraught/2.5
| search savageDraught!=''
| bucket span=1h _time
| stats sum(savageDraught) AS craftedCost by _time
| appendcols
[search index=main sourcetype=marketapi name="Savage Draught"
| eval purchaseCost = pricePerOne ]
| eval profit=purchaseCost - craftedCost - 100000
| eval finalProfit=profit
.85
| timechart span=1h sum(finalProfit)

0 Karma

aberkow
Builder

I could be wrong here, but fairly certain your issue is that you no longer have the literal _time field, which is required for the timechart command. Example:

| makeresults count=3
| timechart count
This works.

| makeresults count=3
| eval time=_time
| table time, count
| timechart count
This doesn't work.

Rename/coalesce your time variables to _time and give it a shot?

0 Karma

Tylerdygert
Path Finder

How would I get my _time field back? I'm unsure how to accomplish this.

0 Karma

aberkow
Builder

Two ways: you can recreate it, like below, or you can never change your variables out of _time format at all.

| eval _time = coalesce(hammertime, Time) should work. All I meant was I'm pretty sure the timechart command absolutely requires a field called _time, it doesn't have to be the native one though!

| makeresults count=3
| eval time=_time
| table time, count
| eval _time=time
| timechart count
This works, as a further extension of my example

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...