topic Re: How do I add two rows with different identifiers and chart? in Splunk Search

How do I add two rows with different identifiers and chart?

sriramv2006 — Thu, 25 Feb 2021 18:06:52 GMT

Hi,

I have a table like this:

Tag | Value
aa | 15.5
bb | 20
cc | 23

I want to chart the value "dd = aa + bb" . Seems simple enough, but I haven't been able to find a solution through "sum" or "addtotals".

I tried the below also, but no luck.
my_search_query | eval dd = aa + bb | chart latest(dd)

Your help is appreciated. Thanks in advance!

Re: How do I add two rows with different identifiers and chart?

ITWhisperer — Thu, 25 Feb 2021 19:35:25 GMT

eval dd = aa + bb will create a field on each event in your pipeline adding fields aa and bb from that event. Are all these "tag"s and "value"s in different events? Is there anything else in the event that correlates aa and bb?

Re: How do I add two rows with different identifiers and chart?

sriramv2006 — Thu, 25 Feb 2021 20:08:27 GMT

Thanks for your response!

Every event will have aa and bb rows. My "tag"s and "value"s can be from multiple events.

When I do the following, the chart/table comes up empty for "dd"
my_search_query | eval dd = aa + bb | chart latest(dd)

Since I'm looking for the latest event, tried this also:
my_search_query | eval dd = latest(aa) + latest(bb) | chart latest(dd)
But I get the following syntax error:
Error in 'eval' command: The 'latest' function is unsupported or undefined.

Re: How do I add two rows with different identifiers and chart?

ITWhisperer — Thu, 25 Feb 2021 20:18:21 GMT

I am confused by your use of event and rows. Each event would normal take up one row in the events table. If aa and bb are different rows, then they are from different events as far as splunk is concerned. If these events are from the same event in application terms, e.g. the same application event generates multiple lines in a log which are ingested by splunk, as separate splunk events, is there a way from the event data to correlate these events so you know which aa belongs with which bb?

An example of your actual raw events as seen by splunk might be useful, although I recommend that you obfuscate any sensitive data.

Re: How do I add two rows with different identifiers and chart?

sriramv2006 — Thu, 25 Feb 2021 20:52:11 GMT

Please ignore my question. My sum was trying to sum up strings. This worked:

my_search_query | eval dd = tonumber(aa) + tonumber(bb) | chart latest(dd)