Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine timechart, stats, and eval?

vanheer
Explorer
‎04-13-2022 06:11 AM

Hi,

I have multiple fields like, counting how many items passing through gates:

 

 

 

| timechart count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by building

 

 

 

 I want to exclude the counts of items_RG from the all_items, so I'm using :

 

 

 

| eval Total=all_items-items_RG

 

 

 

But it is not showing Total in the output, but when I use stats instead, I don't get the time column to show the graph as timechart.

 

 

 

| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by building
| eval Total=all_items-items_RG

 

 

 

I tried to use eventstats also couldn't get what I want.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venky1544
Builder
‎04-14-2022 02:21 AM

Hi @vanheer 

|bin _time span=5m| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by _time,building
| eval Total=all_items-items_RG
|fields - all_items,items_RG |xyseries _time,building,Total

 

try to append with xyseries command it should give you the  desired result 

venky1544_0-1649928051834.png

 

if this help karma points are  appreciated /accept the solution it might help others 

View solution in original post

Reply
Solved! Jump to solution

vanheer
Explorer
‎04-13-2022 09:35 AM

Thanks @venky1544 , almost there! now I have each building in a field,

|bin _time span=5m| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by _time,building
| eval Total=all_items-items_RG
|fields - all_items,items_RG
_timebuildingTotal
2022-04-13 17:20:00GT0124
2022-04-13 17:20:00GT0213
2022-04-13 17:20:00GT0329
2022-04-13 17:25:00GT0164
2022-04-13 17:25:00GT0252
2022-04-13 17:25:00GT0394

 

I need each building in a separate field to stack them in the graph.

_timeGT01GT02GT03Total
2022-04-13 17:20:00241329=24+13+29
2022-04-13 17:25:00645294=64+52+94
0 Karma
Reply
Solved! Jump to solution
Solution

venky1544
Builder
‎04-14-2022 02:21 AM

Hi @vanheer 

|bin _time span=5m| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by _time,building
| eval Total=all_items-items_RG
|fields - all_items,items_RG |xyseries _time,building,Total

 

try to append with xyseries command it should give you the  desired result 

venky1544_0-1649928051834.png

 

if this help karma points are  appreciated /accept the solution it might help others 

Reply
Solved! Jump to solution

vanheer
Explorer
‎04-14-2022 07:29 AM

@venky1544 Thank you very much, I haven't used xyseries before.

One more optional question 😀:
I've created a manual dropdown span interval, but can we keep it automated as in timechart?

0 Karma
Reply
Solved! Jump to solution

venky1544
Builder
‎04-13-2022 08:52 AM

Hi @vanheer 

try the below

|bin _time span=5m| stats count(eval(like(gate_id, "RG%") )) as items_RG, count(eval(NOT like(gate_id, "RG%") )) as all_items by _time,building
| eval Total=all_items-items_RG

 

if it helps karma points are appreciated  

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...