Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Append column to timechart, that is a function of existing columns.

wlbaird
Engager
‎06-23-2021 10:01 AM

I have a timechart with columns A and B, I would like to add a third column C, where C=A/B

My timechart is created by:

index=...

| timechart span=10m count(_raw) AS A

| appendcols [ index= ....

| timechart span=10m count(_raw) AS B]

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-23-2021 09:24 PM

@wlbaird 

You can try some thing like this also.

index="..." OR index="...." | timechart span=10m sum(eval(if(index="...",1,0))) as A  sum(eval(if(index="....",1,0))) as B | eval C=A/B

 

My Sample Search :

index="_internal" OR index="_introspection" | timechart span=10m sum(eval(if(index="_internal",1,0))) as A  sum(eval(if(index="_introspection",1,0))) as B | eval C=A/B

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
 

0 Karma
Reply

wlbaird
Engager
‎06-23-2021 11:15 AM

Thanks that worked. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 10:28 AM 
index=...
| timechart span=10m count(_raw) AS A
| appendcols [ index= ....
| timechart span=10m count(_raw) AS B]
| eval C=A/B
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...