I've been poking at this for a couple of hours, I think I'm missing something obvious but it's a forest for trees thang.
I have to create 2 dashboards, first is done and tested sat, second uses all of the first except the last line. No, I can't post the exact code. Suffice it to say, I have aggregated 6 fields, a, b, c, x, y, z.
In the first panel, I had to sum a, b, c and then display them in a timechart span=1mon as a stacked bar chart. Works great.
In the second panel I have to sum x, y, z, then take that and subtract it from sum of a, b, c, and present sum of x, y, z and diff (a+b+c) - (x+y+z) in a stacked bar chart, span=1mon.
Here's the line I have to try to do this, but its not presnting any values (nor errors):
| timechart span=1mon sum(eval (sum(a) + sum(b) + sum(c)) as value1) sum(eval (sum(a) + sum(b) + sum(c) - sum(x) - sum(y) - sum(z)) as value2)
Am I allowed to do an eval inside a sum? Is that the issue?
After that first stats
call, you don't have any _time fields left, because you didn't carry them through the stats. The timechart
command requires a _time
field to work.
After that first stats
call, you don't have any _time fields left, because you didn't carry them through the stats. The timechart
command requires a _time
field to work.
Bloody brilliant, missed that. elliotproebstel, post that as a comment, not a reply so I can accept it. By changing stats to eventstats it works. Thanks!!!
I don't think @elliotproebstel will mind that I took the liberty of converting the comment to an answer for him.
Thanks, @micah 🙂
Hi richkappler,
are you using Post Process search?
if yes, at the end of the base search you have to insert
| fields list_of_used_fields
if this isn't your problem, try
| bin_time span=1mon
| eval value1=a+b+c, value2=a+b+c-x-y-z
| timechart sum(value1) AS value1 sum(value2) AS value2 BY _time
Bye.
Giuseppe
Thanks Giuseppe, that didn't quite work. Here's what I've got now:
| stats sum(x) as X, sum(y) as Y, sum(z) as Z, sum(a) as A, sum(b) as B, sum(c) as C
| eval VALUE_1= X + Y + Z
| eval VALUE_2=A + B + C - VALUE_1
| timechart span=1mon sum(VALUE_1) as VALUE_1 sum(VALUE_2) as VALUE_2
If I leave off that last line, I get the statistics table with all the correct values. Adding the timechart gives me no result.
I see I added too many parens, it's actually this:
| timechart span=1mon sum(eval (sum(a) + sum(b) + sum(c)) as value1 sum(eval (sum(a) + sum(b) + sum(c) - sum(x) - sum(y) - sum(z)) as value2
I now also see why sum(eval (a bunch of sums)) won't work, there's nothing for the outside sum to sum. Not sure how to proceed though.