- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Assistance with search query on generator power
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assistance with search query on generator power
Hello Splunk World,
Back at it today trying to chart out some power data off of generators.
I have 2 queries that need combined with different calculations.
Query 1. this query reports the way it should:
eval CurrentLoad=dcCurrentLoad/100, CurrentBattery=dcCurrentBattery/100, PowerBattery=dcPowerBattery/100 | timechart avg(CurrentLoad) as "Current Load", avg(CurrentBattery) as "Current Battery", avg(PowerBattery) as "Power Battery"
Query 2. same meaning, different language, however the calculations from the MFG stats that if we see a value "32768 or higher" this is a negative number so we calculate (value minus 65536 / 100
eval AlternatorCurrent=ppscAlternatorCurrent/100, CurrentBattery=ppscLoadBatteryCurrent/100, VoltageBattery=ppscLoadBatteryVoltage/100 | timechart avg(AlternatorCurrent) as "Alternator Current", avg(CurrentBattery) as "Battery Current", avg(VoltageBattery) as "Battery Voltage"
I did not add the Index or source type as that is already figured out to combine, the script in the query is where I am running into problems.
Thoughts or ideas?
I tried the coalesce that was provided a couple of days ago, thought it was working but was not certain.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depends on what you want to toss together. This assumes that things named the same are the same, things named different are different.
| eval CurrentLoad = 0.01 * dcCurrentLoad
| eval AlternatorCurrent = 0.01 * if(ppscAlternatorCurrent>=32768,ppscAlternatorCurrent-65536,ppscAlternatorCurrent)
| eval CurrentBattery = 0.01 * coalesce(dcCurrentBattery,if(ppscLoadBatteryCurrent>=32768,ppscLoadBatteryCurrent-65536,ppscLoadBatteryCurrent))
| eval PowerBattery = 0.01 * dcPowerBattery
| eval VoltageBattery = 0.01 * if(ppscLoadBatteryVoltage>=32768,ppscLoadBatteryVoltage-65536,ppscLoadBatteryVoltage)
| timechart avg(CurrentLoad) as "Current Load",
avg(AlternatorCurrent) as "Alternator Current",
avg(CurrentBattery) as "Current Battery Current",
avg(PowerBattery) as "Power Battery",
avg(VoltageBattery) as "Battery Voltage"
On the other hand, if battery power and battery load are the same thing, then this coalesce would do it for you.
| eval PowerBattery = 0.01 * coalesce(dcPowerBattery,if(ppscLoadBatteryVoltage>=32768,ppscLoadBatteryVoltage-65536,ppscLoadBatteryVoltage))
| timechart avg(CurrentLoad) as "Current Load",
avg(AlternatorCurrent) as "Alternator Current",
avg(CurrentBattery) as "Current Battery Current",
avg(PowerBattery) as "Power Battery"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you say you want to do calculation like this?
eval AlternatorCurrent=if(ppscAlternatorCurrent>=32768),(ppscAlternatorCurrent-65536)/100,ppscAlternatorCurrent/100)
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
