https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243978#M72604 <P>Hello sunhareshr. This works, but adds a new column for each value of FIELD3 instead of just adding one. There is no difference between </P> <PRE><CODE>.... | eventstats dc(field4) as dc_f4 by field2 | chart avg(field1) as average values(dc_f4) as dist_count over field2 by field3 </CODE></PRE> <P>and</P> <PRE><CODE>.... | eventstats dc(field4) as dc_f4 by field2 | chart avg(field1) as average values(dc_f4) as dist_count by field2, field3 </CODE></PRE> <P>any ideas?</P> <P>Thanks!</P> Tue, 22 Nov 2016 06:25:52 GMT andrewtrobec 2016-11-22T06:25:52Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243974#M72600 <P>Hello,</P> <P>I have two separate chart calculations that I would like to combine into a single chart. The first is an avg calculation on a field grouped by two fields while the second is a distinct_count calculation on another field grouped by one field. So assuming a have four different fields, the two separate chart commands are:</P> <PRE><CODE>chart avg(FIELD1) by FIELD2, FIELD3 chart distinct_count(FIELD4) by FIELD2 </CODE></PRE> <P>I am trying to combine them so that the distinct_count ends up as the final column of the generated table. I have tried using:</P> <PRE><CODE>chart avg(FIELD1) distinct_count(FIELD4) by FIELD2, FIELD3 </CODE></PRE> <P>but all that accomplishes is splitting the distinct_count over FIELD3 as well, which is what I don't want.</P> <P>Is there a way of combining the two so that the distinct_count appears as a column at the end being grouped by FIELD2?</P> <P>Thank you!</P> <P>Andrew</P> Mon, 21 Nov 2016 22:53:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243974#M72600 andrewtrobec 2016-11-21T22:53:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243975#M72601 <PRE><CODE>somesearch | chart avg(FIELD1) by FIELD2, FIELD3 | append [search somesearch | chart distinct_count(FIELD4) by FIELD2] </CODE></PRE> Mon, 21 Nov 2016 23:01:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243975#M72601 bshuler_splunk 2016-11-21T23:01:08Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243976#M72602 <P>Try this</P> <P>*<STRONG><EM>UPDATED</EM></STRONG>*</P> <PRE><CODE>.... | eventstats dc(field4) as dc_f4 by field2 | eval field2= field2."#".dc_f4 | chart avg(field1) as average over field2 by field3 | rex field=field2 "(?&lt;field2&gt;[^#]+)#(?&lt;distinct_count&gt;.*)" </CODE></PRE> Tue, 22 Nov 2016 00:12:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243976#M72602 sundareshr 2016-11-22T00:12:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243977#M72603 <P>Thanks bshuler. The append command adds a new column to the chart, but the values are appended at the bottom as an entire new table. So basically the first half of the table is</P> <PRE><CODE>chart avg(FIELD1) by FIELD2, FIELD3 </CODE></PRE> <P>with the distinct_count column blank, while the second half of the table is</P> <PRE><CODE>chart distinct_count(FIELD4) by FIELD2 </CODE></PRE> <P>with all the avg columns blank.</P> <P>Any ideas?</P> <P>Thanks!</P> <P>Andrew</P> Tue, 22 Nov 2016 06:18:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243977#M72603 andrewtrobec 2016-11-22T06:18:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243978#M72604 <P>Hello sunhareshr. This works, but adds a new column for each value of FIELD3 instead of just adding one. There is no difference between </P> <PRE><CODE>.... | eventstats dc(field4) as dc_f4 by field2 | chart avg(field1) as average values(dc_f4) as dist_count over field2 by field3 </CODE></PRE> <P>and</P> <PRE><CODE>.... | eventstats dc(field4) as dc_f4 by field2 | chart avg(field1) as average values(dc_f4) as dist_count by field2, field3 </CODE></PRE> <P>any ideas?</P> <P>Thanks!</P> Tue, 22 Nov 2016 06:25:52 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243978#M72604 andrewtrobec 2016-11-22T06:25:52Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243979#M72605 <P>Try the updated query</P> Tue, 22 Nov 2016 08:53:29 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243979#M72605 sundareshr 2016-11-22T08:53:29Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243980#M72606 <P>Thanks, this works! I will do some reverse engineering to figure out the logic behind it. I appreciate your help!</P> Tue, 22 Nov 2016 11:26:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/243980#M72606 andrewtrobec 2016-11-22T11:26:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/571195#M199034 <P>Hi Sundareshr, i got this problem, i want to add value 1 to 2 and remove the Shift0, do you have any solution? Thanks<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.png" style="width: 995px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16449i1CCDF870DD12A548/image-size/large?v=v2&amp;px=999" role="button" title="Untitled.png" alt="Untitled.png" /></span></P> Sat, 16 Oct 2021 02:54:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-calculation-to-a-chart/m-p/571195#M199034 lnn2204 2021-10-16T02:54:19Z