How to get the result of timechart value divided b...

mindia · ‎09-10-2018

search command

host= index= sourcetype=syslog job=* "jobname" | dedub job | fields - _raw  | timechart span=1d count by jobname

I get the result as

_time                                jobname
2018-09-08                       24
2018-09-07                       12
2018-09-06                       36

But I need the result as below ( like dividing the jobname field value by 6)

_time                 jobname
2018-09-08        4
2018-09-07        2
2018-09-06        6

Please suggest.

rvany · ‎09-13-2018

Maybe the shortest solution is to write "dedup" (instead of dedub)?

mindia · ‎09-13-2018

it is already dedup.. its a typo here.

rvany · ‎09-13-2018

You are searching for job=* "jobname", you dedup by job and timechart by jobname. In another post you have name1 and url (the latter as a field name). So what are you really searching for?

And regarding this "devided by 6" - do you really want to divide? Why are you sure your number should be "like dividing the jobname by 6"?

Would be great to get an understanding of the underlying data.

mindia · ‎09-13-2018

name1 is the actual.. I had explained with example. I need not to be exactly 6 it can be any number but I want to specify.

mindia · ‎09-12-2018

@renjith.nair nothing worked

the log contains job ids and urls. URL ex: http://website/names

the query is

host="hostname" index="indexname" sourcetype="syslog" job=* "http://website/name1" | dedup job | fields - _raw
| timechart span=1d count by url

I get the result as

_time jobname
2018-09-08 24
2018-09-07 12
2018-09-06 36
But I need the result as below ( like dividing the jobname field value by 6)

_time jobname
2018-09-08 4
2018-09-07 2
2018-09-06 6

DalJeanis · ‎09-11-2018

Both of the solutions provided by @renjith.nair should have worked. Here's a third...

host=foo index=bar sourcetype=syslog job=* "jobname" 
| dedup job 
| eval quarter= 0.25
| timechart span=1d sum(quarter) by url

And here's a fourth ...

host=foo index=bar sourcetype=syslog job=* "jobname" 
| dedup job 
| timechart span=6h count by url
| bin _time span=1d
| stats avg(*) as * by _time

And I'm tempted to come up with a fifth, just for grins.

All of these should work, given your stated requirements.

mstjohn_splunk · ‎09-10-2018

hi @mindia,

Did the answer below solve your problem? If so, please resolve this post by approving it!
If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks for posting!

mindia · ‎09-12-2018

Not yet.....

mindia · ‎09-12-2018

Logs contain job ids and urls

Ex: job=23 url=http://website/names

Make a note, url contains names, whereas I am searching for each name. like name1, name2, etc.

host= index= sourcetype=syslog job=* "http://website/name1" | dedub job | fields - _raw | timechart span=1d count by url

Splunk search returns results like below

_time name1
2018-09-08 24
2018-09-07 12
2018-09-06 36

But I need the result as below ( like dividing the name1 field value by 6)

_time name1
2018-09-08 4
2018-09-07 2
2018-09-06 6

renjith_nair · ‎09-10-2018

@mindia,

There are multiple ways to do it.

host= index= sourcetype=syslog job=* "jobname" | dedub job | fields - _raw | timechart span=1d count by jobname|untable _time,jobname,count|eval count=count/6|xyseries _time,jobname,count

OR

host= index= sourcetype=syslog job=* "jobname" | dedub job | fields - _raw | timechart span=1d count by jobname|foreach * [eval <<FIELD>>=<<FIELD>>/6]

Happy Splunking!

mindia · ‎09-11-2018

Actually both commands did not help here. My search is slightly different.

The logs contain job ids and url = "https://url/

I am searching for the and count by I am specifying url

host= index= sourcetype=syslog job=* "" | dedub job | fields - _raw | timechart span=1d count by url

I tried below search using foreach

host= index= sourcetype=syslog job=* "" | dedub job | fields - _raw | timechart span=1d count by url |foreach * [eval <>=<>/6]

.. it displayed the same result.. actually what to substitute for FIELD is not clear.

The another commend using untable was not able execute. it gave errors.

mindia · ‎09-11-2018

The logs contain job ids and url = "https://url/name1

I am searching for the name1 and count by I am specifying 'url'

host= index= sourcetype=syslog job=* "name1" | dedub job | fields - _raw | timechart span=1d count by url

similarly I would try for name2

host= index= sourcetype=syslog job=* "name2" | dedub job | fields - _raw | timechart span=1d count by url

renjith_nair · ‎09-11-2018

@mindia, for the foreach you dont need to substitute anything , just use FIELD as it is.

What's the error in untable ?

In the result after timechart , how many columns are you getting ? I mean is it _time,jobname1,jobname2 or is it only one job name ?

Below is a run anywhere example you could use and compare

index=_* earliest=-15m |timechart span=5m count by sourcetype|untable _time,sourcetype,count|eval count=count/6|xyseries _time,sourcetype,count

Happy Splunking!

How to get the result of timechart value divided by a number

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!