https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197331#M57011 <P>We are showing a timechart with bandwidth in kilobits per second. We would like to transform this data into kilobytes per second. So the value of bandwidth divided by 1024.</P> <P>This is the query:</P> <PRE><CODE>name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777) | timechart median(measures.Bandwidth) by "dimensions.Client Name" </CODE></PRE> <P>I tried various things, such as adding an eval before, and then piping it on to the timechart, and also adding an eval function around the median function. But nothing seems to work.</P> <P>We are using Splunk 6.0.1</P> <P>Thank you in advance<BR /> Gidon</P> Tue, 07 Jan 2014 08:46:28 GMT cet 2014-01-07T08:46:28Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197331#M57011 <P>We are showing a timechart with bandwidth in kilobits per second. We would like to transform this data into kilobytes per second. So the value of bandwidth divided by 1024.</P> <P>This is the query:</P> <PRE><CODE>name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777) | timechart median(measures.Bandwidth) by "dimensions.Client Name" </CODE></PRE> <P>I tried various things, such as adding an eval before, and then piping it on to the timechart, and also adding an eval function around the median function. But nothing seems to work.</P> <P>We are using Splunk 6.0.1</P> <P>Thank you in advance<BR /> Gidon</P> Tue, 07 Jan 2014 08:46:28 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197331#M57011 cet 2014-01-07T08:46:28Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197332#M57012 <P>Hi cet,</P> <P>assuming your kilobits field name is <CODE>measures.Bandwidth</CODE> you can do the following:</P> <PRE><CODE>name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777) | eval measures.Bandwidth='measures.Bandwidth'/1024 | timechart median(measures.Bandwidth) by "dimensions.Client Name" </CODE></PRE> <P>you can also rename the median in the <CODE>timechart</CODE> like this:</P> <PRE><CODE>name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777) | eval measures.Bandwidth='measures.Bandwidth'/1024 | timechart median(measures.Bandwidth) AS median.KB.Bandwidth by "dimensions.Client Name" </CODE></PRE> <P>watch out for the <CODE>''</CODE> around the field name in <CODE>eval</CODE>, else <CODE>eval</CODE> will not ignore the dot in the name. Or <CODE>rename</CODE> your field to something without <CODE>.</CODE> in the name before the eval.</P> <P>hope this helps ...</P> <P>cheers, MuS</P> Tue, 07 Jan 2014 08:57:07 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197332#M57012 MuS 2014-01-07T08:57:07Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197333#M57013 <P>Once I add the eval expression , my timechart stops working. The statistics tab shows 0 stats. What could be the problem?</P> Tue, 07 Jan 2014 09:03:12 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197333#M57013 cet 2014-01-07T09:03:12Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197334#M57014 <P>remove everything after the eval and see if you get anything</P> Tue, 07 Jan 2014 09:04:49 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197334#M57014 MuS 2014-01-07T09:04:49Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197335#M57015 <P>did you mean:</P> <P>name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777)| eval measures.Bandwidth=measures.Bandwidth/1024</P> <P>this does return events. I also checked that measurs.Bandwidth is a number, and yes splunk recognizes it as a number.</P> Tue, 07 Jan 2014 09:08:20 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197335#M57015 cet 2014-01-07T09:08:20Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197336#M57016 <P><EM>facepalm</EM> stupid me, see my update to fix it <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 07 Jan 2014 09:11:20 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197336#M57016 MuS 2014-01-07T09:11:20Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197337#M57017 <P>GREAT!!! Thanks a million!</P> Tue, 07 Jan 2014 09:17:16 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197337#M57017 cet 2014-01-07T09:17:16Z https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197338#M57018 <P>you're welcome <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 07 Jan 2014 09:22:57 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-with-eval/m-p/197338#M57018 MuS 2014-01-07T09:22:57Z