topic Re: how to divide two fields in a search and print the result values in timechart in Splunk Search

how to divide two fields in a search and print the result values in timechart

sawgata12345 — Tue, 29 Sep 2020 17:42:06 GMT

Hi,

suppose a query is like: index="demo1" total_bytes,total_time,date etc
I need to divide total_bytes/total_time from each record and show the value in timechart.

index="demo1" |eval result = total_bytes / total_time | timechart result

Re: how to divide two fields in a search and print the result values in timechart

mayurr98 — Mon, 22 Jan 2018 09:42:11 GMT

you can try something like this

index="demo1" |eval result = total_bytes / total_time | timechart span=1h values(result)

specify span accordingly you can specify anything I have specified as 1 hour
Using this query you might get multiple results for one timestamp as there can be multiple results within that time period.

If you want to sum all the time for that time period you can use

index="demo1" |eval result=total_bytes / total_time | timechart span=1h sum(result)

let me know if this helps!

Re: how to divide two fields in a search and print the result values in timechart

erikgrasman — Tue, 29 Sep 2020 17:42:09 GMT

index="demo1" sourcetype="demo1"
| timechart eval(avg(total_bytes)/avg(total_time)) as result

As the error states you need to use a function in your timechart (like avg or max)

Re: how to divide two fields in a search and print the result values in timechart

sawgata12345 — Tue, 29 Sep 2020 17:42:17 GMT

Hi,
ya it helped a bit.
I used
index="demo1" earliest=-7d@w1 latest=@w6 |eval res= total_write_io_bytes/total_write_io_count |timechart values(res)

its actually adding all the res for one day and showing single. for the past week each day value is showing as total of the day.
https://unsee.cc/c8d8030b/

I need it per record basis as and when data comes in, for each record evaluate the value of total_write_io_bytes/total_write_io_count and show in time series as continuous basis.
(after each 10 sec data is coming in, so it should show multiple records in timechart for a single day itself)

Re: how to divide two fields in a search and print the result values in timechart

mayurr98 — Mon, 22 Jan 2018 11:38:51 GMT

|timechart values(res) will not add up. this command will give you all the results in that time period.
If you want per event basis time then you can do something like this.

index="demo1" earliest=-7d@w1 latest=@w6 |eval res= total_write_io_bytes/total_write_io_count | bin _time span=1d |  eval _time=strftime(_time,"%Y-%m-%d") | chart count over res by _time

index="demo1" earliest=-7d@w1 latest=@w6 |eval res= total_write_io_bytes/total_write_io_count | timechart count by res

let me know if this helps!

Re: how to divide two fields in a search and print the result values in timechart

sawgata12345 — Mon, 22 Jan 2018 12:34:08 GMT

thanks
it works