topic Re: How to get the result of timechart value divided by a number in Splunk Search

How to get the result of timechart value divided by a number

mindia — Mon, 10 Sep 2018 07:56:21 GMT

search command

host= index= sourcetype=syslog job=* "jobname" | dedub job | fields - _raw  | timechart span=1d count by jobname

I get the result as

_time                                jobname
2018-09-08                       24
2018-09-07                       12
2018-09-06                       36

But I need the result as below ( like dividing the jobname field value by 6)

_time                 jobname
2018-09-08        4
2018-09-07        2
2018-09-06        6

Please suggest.

Re: How to get the result of timechart value divided by a number

renjith_nair — Mon, 10 Sep 2018 12:14:31 GMT

@mindia,

There are multiple ways to do it.

host= index= sourcetype=syslog job=* "jobname" | dedub job | fields - _raw | timechart span=1d count by jobname|untable _time,jobname,count|eval count=count/6|xyseries _time,jobname,count

host= index= sourcetype=syslog job=* "jobname" | dedub job | fields - _raw | timechart span=1d count by jobname|foreach * [eval <<FIELD>>=<<FIELD>>/6]

Re: How to get the result of timechart value divided by a number

mstjohn_splunk — Mon, 10 Sep 2018 22:21:26 GMT

hi @mindia,

Did the answer below solve your problem? If so, please resolve this post by approving it!
If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks for posting!

Re: How to get the result of timechart value divided by a number

mindia — Tue, 11 Sep 2018 10:57:44 GMT

Actually both commands did not help here. My search is slightly different.

The logs contain job ids and url = "https://url/

I am searching for the and count by I am specifying url

host= index= sourcetype=syslog job=* "" | dedub job | fields - _raw | timechart span=1d count by url

I tried below search using foreach

host= index= sourcetype=syslog job=* "" | dedub job | fields - _raw | timechart span=1d count by url |foreach * [eval <>=<>/6]

.. it displayed the same result.. actually what to substitute for FIELD is not clear.

The another commend using untable was not able execute. it gave errors.

Re: How to get the result of timechart value divided by a number

mindia — Tue, 11 Sep 2018 14:26:44 GMT

The logs contain job ids and url = "https://url/name1

I am searching for the name1 and count by I am specifying 'url'

host= index= sourcetype=syslog job=* "name1" | dedub job | fields - _raw | timechart span=1d count by url

similarly I would try for name2

host= index= sourcetype=syslog job=* "name2" | dedub job | fields - _raw | timechart span=1d count by url

Re: How to get the result of timechart value divided by a number

renjith_nair — Wed, 12 Sep 2018 02:19:29 GMT

@mindia, for the foreach you dont need to substitute anything , just use FIELD as it is.

What's the error in untable ?

In the result after timechart , how many columns are you getting ? I mean is it _time,jobname1,jobname2 or is it only one job name ?

Below is a run anywhere example you could use and compare

index=_* earliest=-15m |timechart span=5m count by sourcetype|untable _time,sourcetype,count|eval count=count/6|xyseries _time,sourcetype,count

Re: How to get the result of timechart value divided by a number

DalJeanis — Wed, 12 Sep 2018 03:09:53 GMT

Both of the solutions provided by @renjith.nair should have worked. Here's a third...

host=foo index=bar sourcetype=syslog job=* "jobname" 
| dedup job 
| eval quarter= 0.25
| timechart span=1d sum(quarter) by url

And here's a fourth ...

host=foo index=bar sourcetype=syslog job=* "jobname" 
| dedup job 
| timechart span=6h count by url
| bin _time span=1d
| stats avg(*) as * by _time

And I'm tempted to come up with a fifth, just for grins.

All of these should work, given your stated requirements.

Re: How to get the result of timechart value divided by a number

mindia — Thu, 13 Sep 2018 06:16:23 GMT

@renjith.nair nothing worked

the log contains job ids and urls. URL ex: http://website/names

the query is

host="hostname" index="indexname" sourcetype="syslog" job=* "http://website/name1" | dedup job | fields - _raw
| timechart span=1d count by url

I get the result as

_time jobname
2018-09-08 24
2018-09-07 12
2018-09-06 36
But I need the result as below ( like dividing the jobname field value by 6)

_time jobname
2018-09-08 4
2018-09-07 2
2018-09-06 6

Re: How to get the result of timechart value divided by a number

mindia — Thu, 13 Sep 2018 06:18:29 GMT

Not yet.....

Re: How to get the result of timechart value divided by a number

mindia — Thu, 13 Sep 2018 06:22:15 GMT

Logs contain job ids and urls

Ex: job=23 url=http://website/names

Make a note, url contains names, whereas I am searching for each name. like name1, name2, etc.

host= index= sourcetype=syslog job=* "http://website/name1" | dedub job | fields - _raw | timechart span=1d count by url

Splunk search returns results like below

_time name1
2018-09-08 24
2018-09-07 12
2018-09-06 36

But I need the result as below ( like dividing the name1 field value by 6)

_time name1
2018-09-08 4
2018-09-07 2
2018-09-06 6

Re: How to get the result of timechart value divided by a number

rvany — Thu, 13 Sep 2018 07:21:05 GMT

Maybe the shortest solution is to write "dedup" (instead of dedub)?

Re: How to get the result of timechart value divided by a number

mindia — Thu, 13 Sep 2018 07:46:01 GMT

it is already dedup.. its a typo here.

Re: How to get the result of timechart value divided by a number

rvany — Thu, 13 Sep 2018 08:29:04 GMT

You are searching for job=* "jobname", you dedup by job and timechart by jobname. In another post you have name1 and url (the latter as a field name). So what are you really searching for?

And regarding this "devided by 6" - do you really want to divide? Why are you sure your number should be "like dividing the jobname by 6"?

Would be great to get an understanding of the underlying data.

Re: How to get the result of timechart value divided by a number

mindia — Fri, 14 Sep 2018 06:45:19 GMT

name1 is the actual.. I had explained with example. I need not to be exactly 6 it can be any number but I want to specify.