topic Re: timechart and sum seperate events in Splunk Search

timechart and sum seperate events

HansK — Mon, 28 Sep 2020 13:30:48 GMT

Im running this query:

host="forward*" count 
| eval platform_800_count = ASICM_count_DN_800 + DF2_count_DN_800 + DF2_count_TT_800 
| timechart max(coin_ENEC_count_DN_800), max(ASICM_count_DN_800), max(DF2_count_DN_800), max(DF2_count_TT_800), max(platform_800_count)

I expect eval to sum the fields into platform_800_count and as a last step to timechart this field but it does not present a value on the chart for platform_800_count.

Other fields are presented.

As Martin points out below I cannot eval seperate events, is there another method to do this?

Re: timechart and sum seperate events

martin_mueller — Mon, 28 Sep 2020 13:30:51 GMT

Does platform_800_count have values before you apply the timechart?

Re: timechart and sum seperate events

HansK — Thu, 14 Mar 2013 12:52:29 GMT

no it's a new field i create with eval

Re: timechart and sum seperate events

martin_mueller — Thu, 14 Mar 2013 12:53:57 GMT

After eval, before timechart. Try this:

host="forward*" count | eval platform_800_count = ASICM_count_DN_800 + DF2_count_DN_800 + DF2_count_TT_800 | stats values(platform_800_count)

Re: timechart and sum seperate events

HansK — Thu, 14 Mar 2013 13:01:17 GMT

this query as above gives "no results found"

Re: timechart and sum seperate events

martin_mueller — Thu, 14 Mar 2013 13:02:46 GMT

Then your eval didn't work as you expected, so timechart has no chance to do anything.

What values do you have in those three fields you add together? All numbers?

Re: timechart and sum seperate events

HansK — Mon, 28 Sep 2020 13:30:53 GMT

Yes, all numbers and they all show up on the timechart.

If I only eval one field like "eval platform_800_count = ASICM_count_DN_800|" it does not show either.

Re: timechart and sum seperate events

martin_mueller — Thu, 14 Mar 2013 13:12:20 GMT

Odd - got some sample data?

Re: timechart and sum seperate events

HansK — Mon, 28 Sep 2020 13:30:56 GMT

data is like this:
2013-03-14 14:10:14 DF2_count_DN_800=669
2013-03-14 14:10:14 ASICM_count_DN_800=723
2013-03-14 14:10:14 DF2_count_TT_800=1155

Re: timechart and sum seperate events

martin_mueller — Thu, 14 Mar 2013 13:26:45 GMT

I see, those three are in separate events? Eval works on a per-event basis.

Re: timechart and sum seperate events

HansK — Thu, 14 Mar 2013 13:34:56 GMT

oops, ok did not know that

Re: timechart and sum seperate events

martin_mueller — Thu, 14 Mar 2013 13:39:00 GMT

You could do the eval after the timechart, provided there is a value for each field for each bucket.

Re: timechart and sum seperate events

HansK — Mon, 28 Sep 2020 13:30:58 GMT

Like so?:
host="forward*" count
| timechart max(coin_ENEC_count_DN_800), max(ASICM_count_DN_800), max(DF2_count_DN_800), max(DF2_count_TT_800)
|eval platform_800_count = ASICM_count_DN_800 + DF2_count_DN_800 + DF2_count_TT_800

How would I go about presenting the new field in the timechart?

Re: timechart and sum seperate events

martin_mueller — Thu, 14 Mar 2013 14:03:34 GMT

In order for that sum to work you first need to rename the result of your timechart. Switch to the table view instead of the graph to better understand this. The columns listed there is what eval can use as input. Once you correctly eval yourself a new field it automagically becomes a column there, and will automagically appear in the timechart.