Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

Dashboards & Visualizations

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Am I allowed to do an eval inside a sum when creat...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

richkappler

Path Finder

โ02-09-2018
08:13 AM

I've been poking at this for a couple of hours, I think I'm missing something obvious but it's a forest for trees thang.

I have to create 2 dashboards, first is done and tested sat, second uses all of the first except the last line. No, I can't post the exact code. Suffice it to say, I have aggregated 6 fields, a, b, c, x, y, z.

In the first panel, I had to sum a, b, c and then display them in a timechart span=1mon as a stacked bar chart. Works great.

In the second panel I have to sum x, y, z, then take that and subtract it from sum of a, b, c, and present sum of x, y, z and diff (a+b+c) - (x+y+z) in a stacked bar chart, span=1mon.

Here's the line I have to try to do this, but its not presnting any values (nor errors):

| timechart span=1mon sum(eval (sum(a) + sum(b) + sum(c)) as value1) sum(eval (sum(a) + sum(b) + sum(c) - sum(x) - sum(y) - sum(z)) as value2)

Am I allowed to do an eval inside a sum? Is that the issue?

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

elliotproebstel

Champion

โ02-09-2018
08:57 AM

`stats`

call, you don't have any *time fields left, because you didn't carry them through the stats. The timechart command requires a `*time` field to work.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

elliotproebstel

Champion

โ02-09-2018
08:57 AM

`stats`

call, you don't have any *time fields left, because you didn't carry them through the stats. The timechart command requires a `*time` field to work.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

richkappler

Path Finder

โ02-09-2018
09:02 AM

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

micahkemp

Champion

โ02-09-2018
09:09 AM

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

elliotproebstel

Champion

โ02-09-2018
09:34 AM

Thanks, @micah ๐

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

gcusello

Legend

โ02-09-2018
08:27 AM

Hi richkappler,

are you using Post Process search?

if yes, at the end of the base search you have to insert

```
| fields list_of_used_fields
```

if this isn't your problem, try

```
| bin_time span=1mon
| eval value1=a+b+c, value2=a+b+c-x-y-z
| timechart sum(value1) AS value1 sum(value2) AS value2 BY _time
```

Bye.

Giuseppe

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

richkappler

Path Finder

โ02-09-2018
08:51 AM

Thanks Giuseppe, that didn't quite work. Here's what I've got now:

| stats sum(x) as X, sum(y) as Y, sum(z) as Z, sum(a) as A, sum(b) as B, sum(c) as C

| eval VALUE*1= X + Y + Z
| eval VALUE*2=A + B + C - VALUE

| timechart span=1mon sum(VALUE

If I leave off that last line, I get the statistics table with all the correct values. Adding the timechart gives me no result.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

richkappler

Path Finder

โ02-09-2018
08:16 AM

I see I added too many parens, it's actually this:

| timechart span=1mon sum(eval (sum(a) + sum(b) + sum(c)) as value1 sum(eval (sum(a) + sum(b) + sum(c) - sum(x) - sum(y) - sum(z)) as value2

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

richkappler

Path Finder

โ02-09-2018
08:26 AM