https://community.splunk.com/t5/Splunk-Search/Eval-Equals-Another-Field/m-p/421450#M121039 <P>Greetings,</P> <P>I have a query that ends with a timechart command</P> <PRE><CODE>| timechart span=1h eval(round(avg(FIELD),0)) as "Response" by source_type </CODE></PRE> <P>Previously, I created thresholds for my timechart by using eval</P> <PRE><CODE>| eval Normal = 500 | eval High = 1000 </CODE></PRE> <P>However, as my number of source_types grew, I could no longer utilize the same thresholds. I've created a lookup that contains the necessary thresholds for each specific source_type, and I can see the new field created in the fields column on the left hand side of the screen. However, I'm having trouble adding this new field or setting this new field as its intended threshold delimiter.</P> <P>So how can create a timechart (which I have to keep/utilize) and incorporate my thresholds from my lookup?</P> <P>The final output would look similar to this:</P> <PRE><CODE>_time Source_Type Normal High 3/3/19 ABC 500 1000 </CODE></PRE> <P>Any help is greatly appreciated.</P> Tue, 29 Sep 2020 23:33:38 GMT cquinney 2020-09-29T23:33:38Z https://community.splunk.com/t5/Splunk-Search/Eval-Equals-Another-Field/m-p/421450#M121039 <P>Greetings,</P> <P>I have a query that ends with a timechart command</P> <PRE><CODE>| timechart span=1h eval(round(avg(FIELD),0)) as "Response" by source_type </CODE></PRE> <P>Previously, I created thresholds for my timechart by using eval</P> <PRE><CODE>| eval Normal = 500 | eval High = 1000 </CODE></PRE> <P>However, as my number of source_types grew, I could no longer utilize the same thresholds. I've created a lookup that contains the necessary thresholds for each specific source_type, and I can see the new field created in the fields column on the left hand side of the screen. However, I'm having trouble adding this new field or setting this new field as its intended threshold delimiter.</P> <P>So how can create a timechart (which I have to keep/utilize) and incorporate my thresholds from my lookup?</P> <P>The final output would look similar to this:</P> <PRE><CODE>_time Source_Type Normal High 3/3/19 ABC 500 1000 </CODE></PRE> <P>Any help is greatly appreciated.</P> Tue, 29 Sep 2020 23:33:38 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Equals-Another-Field/m-p/421450#M121039 cquinney 2020-09-29T23:33:38Z https://community.splunk.com/t5/Splunk-Search/Eval-Equals-Another-Field/m-p/421451#M121040 <P>Like this:</P> <PRE><CODE>... | timechart span=1h eval(round(avg(FIELD),0)) AS Response BY Source_Type | untable _time sourcetype count | lookup MyThresholdLookup Source_Type ... </CODE></PRE> Tue, 05 Mar 2019 03:26:24 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Equals-Another-Field/m-p/421451#M121040 woodcock 2019-03-05T03:26:24Z https://community.splunk.com/t5/Splunk-Search/Eval-Equals-Another-Field/m-p/421452#M121041 <P>Thank you for suggestion but it didn't give the outcome I need. Do you know of a way to to create a new field based on another field or from the lookup?</P> <P>| eval Normal=Lookup.csv Normal</P> Tue, 05 Mar 2019 03:40:08 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Equals-Another-Field/m-p/421452#M121041 cquinney 2019-03-05T03:40:08Z https://community.splunk.com/t5/Splunk-Search/Eval-Equals-Another-Field/m-p/421453#M121042 <P>Let's start over. Show me:<BR /> 1: A few raw events<BR /> 2: Your full search (all of it)<BR /> 3: Your current output<BR /> 4: The first 2 lines of your <CODE>Lookup.csv</CODE> file<BR /> 5: A mockup of your desired output</P> Tue, 05 Mar 2019 03:50:18 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Equals-Another-Field/m-p/421453#M121042 woodcock 2019-03-05T03:50:18Z