Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart and sum seperate events

HansK
Path Finder
‎03-14-2013 05:47 AM

Im running this query:

host="forward*" count 
| eval platform_800_count = ASICM_count_DN_800 + DF2_count_DN_800 + DF2_count_TT_800 
| timechart max(coin_ENEC_count_DN_800), max(ASICM_count_DN_800), max(DF2_count_DN_800), max(DF2_count_TT_800), max(platform_800_count)

I expect eval to sum the fields into platform_800_count and as a last step to timechart this field but it does not present a value on the chart for platform_800_count.

Other fields are presented.

As Martin points out below I cannot eval seperate events, is there another method to do this?

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 06:39 AM

You could do the eval after the timechart, provided there is a value for each field for each bucket.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 07:03 AM

In order for that sum to work you first need to rename the result of your timechart. Switch to the table view instead of the graph to better understand this. The columns listed there is what eval can use as input. Once you correctly eval yourself a new field it automagically becomes a column there, and will automagically appear in the timechart.

Reply

HansK
Path Finder
‎03-14-2013 06:55 AM

Like so?:
host="forward*" count
| timechart max(coin_ENEC_count_DN_800), max(ASICM_count_DN_800), max(DF2_count_DN_800), max(DF2_count_TT_800)
|eval platform_800_count = ASICM_count_DN_800 + DF2_count_DN_800 + DF2_count_TT_800

How would I go about presenting the new field in the timechart?

0 Karma
Reply

HansK
Path Finder
‎03-14-2013 06:34 AM

oops, ok did not know that

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 06:26 AM

I see, those three are in separate events? Eval works on a per-event basis.

Reply

HansK
Path Finder
‎03-14-2013 06:19 AM

data is like this:
2013-03-14 14:10:14 DF2_count_DN_800=669
2013-03-14 14:10:14 ASICM_count_DN_800=723
2013-03-14 14:10:14 DF2_count_TT_800=1155

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 06:12 AM

Odd - got some sample data?

0 Karma
Reply

HansK
Path Finder
‎03-14-2013 06:05 AM

Yes, all numbers and they all show up on the timechart.

If I only eval one field like "eval platform_800_count = ASICM_count_DN_800|" it does not show either.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 06:02 AM

Then your eval didn't work as you expected, so timechart has no chance to do anything.

What values do you have in those three fields you add together? All numbers?

0 Karma
Reply

HansK
Path Finder
‎03-14-2013 06:01 AM

this query as above gives "no results found"

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 05:53 AM

After eval, before timechart. Try this:

host="forward*" count | eval platform_800_count = ASICM_count_DN_800 + DF2_count_DN_800 + DF2_count_TT_800 | stats values(platform_800_count)
0 Karma
Reply

HansK
Path Finder
‎03-14-2013 05:52 AM

no it's a new field i create with eval

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 05:51 AM

Does platform_800_count have values before you apply the timechart?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...