https://community.splunk.com/t5/Splunk-Search/Doing-calculations-using-eval-command-with-fields-generated-by/m-p/315498#M94442 <P>Hi</P> <P>Can you please try this?</P> <PRE><CODE>index="sample_data" sourcetype="management_sampledata.csv" | timechart count(Ticket_No) as Inflow | append [search index="sample_data" sourcetype="management_sampledata.csv" Status=Closed | timechart count(Ticket_No) as "Closed/Cancelled" | fillnull] | timechart first(*) as * | eval Backlog_Total = (Inflow-'Closed/Cancelled') </CODE></PRE> <P>I have just changed in <CODE>Closed/Cancelled</CODE> field.</P> <P>Thanks</P> Thu, 30 Nov 2017 07:33:39 GMT kamlesh_vaghela 2017-11-30T07:33:39Z https://community.splunk.com/t5/Splunk-Search/Doing-calculations-using-eval-command-with-fields-generated-by/m-p/315497#M94441 <P>Hi,</P> <P>I'm doing some search query where I used timechart command that creates fields. Now, what I want to do is to some calculations with this fields using eval command but nothing happens.</P> <P>Here's my query:</P> <PRE><CODE>index="sample_data" sourcetype="management_sampledata.csv" | timechart count(Ticket_No) as Inflow | append [search index="sample_data" sourcetype="management_sampledata.csv" Status=Closed | timechart count(Ticket_No) as Closed/Cancelled | fillnull] | timechart first(*) as * | eval Backlog_Total = (Inflow-Closed/Cancelled) </CODE></PRE> <P>And here's the result:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3944i491EA1DBF3CBA2FE/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>What I was expecting to happen is a new field named "Backlog_Total" will be created using the eval command.</P> <P>I hope someone can help me with this.</P> <P>Thank you.</P> Thu, 30 Nov 2017 05:41:35 GMT https://community.splunk.com/t5/Splunk-Search/Doing-calculations-using-eval-command-with-fields-generated-by/m-p/315497#M94441 jvmerilla 2017-11-30T05:41:35Z https://community.splunk.com/t5/Splunk-Search/Doing-calculations-using-eval-command-with-fields-generated-by/m-p/315498#M94442 <P>Hi</P> <P>Can you please try this?</P> <PRE><CODE>index="sample_data" sourcetype="management_sampledata.csv" | timechart count(Ticket_No) as Inflow | append [search index="sample_data" sourcetype="management_sampledata.csv" Status=Closed | timechart count(Ticket_No) as "Closed/Cancelled" | fillnull] | timechart first(*) as * | eval Backlog_Total = (Inflow-'Closed/Cancelled') </CODE></PRE> <P>I have just changed in <CODE>Closed/Cancelled</CODE> field.</P> <P>Thanks</P> Thu, 30 Nov 2017 07:33:39 GMT https://community.splunk.com/t5/Splunk-Search/Doing-calculations-using-eval-command-with-fields-generated-by/m-p/315498#M94442 kamlesh_vaghela 2017-11-30T07:33:39Z https://community.splunk.com/t5/Splunk-Search/Doing-calculations-using-eval-command-with-fields-generated-by/m-p/315499#M94443 <P>Hi @kamlesh_vaghela,</P> <P>It works!</P> <P>Thank you again. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 30 Nov 2017 07:55:29 GMT https://community.splunk.com/t5/Splunk-Search/Doing-calculations-using-eval-command-with-fields-generated-by/m-p/315499#M94443 jvmerilla 2017-11-30T07:55:29Z https://community.splunk.com/t5/Splunk-Search/Doing-calculations-using-eval-command-with-fields-generated-by/m-p/315500#M94444 <P>Glad to help you.<BR /> Can you please accept the answer to close this question and upvote any comment which helps you.</P> <P>Happy Splunking</P> Thu, 30 Nov 2017 08:07:45 GMT https://community.splunk.com/t5/Splunk-Search/Doing-calculations-using-eval-command-with-fields-generated-by/m-p/315500#M94444 kamlesh_vaghela 2017-11-30T08:07:45Z