Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Eval Equals Another Field

cquinney
Communicator
‎03-04-2019 06:56 PM

Greetings,

I have a query that ends with a timechart command

| timechart span=1h eval(round(avg(FIELD),0)) as "Response" by source_type

Previously, I created thresholds for my timechart by using eval

| eval Normal = 500
| eval High = 1000

However, as my number of source_types grew, I could no longer utilize the same thresholds. I've created a lookup that contains the necessary thresholds for each specific source_type, and I can see the new field created in the fields column on the left hand side of the screen. However, I'm having trouble adding this new field or setting this new field as its intended threshold delimiter.

So how can create a timechart (which I have to keep/utilize) and incorporate my thresholds from my lookup?

The final output would look similar to this:

_time              Source_Type     Normal          High
3/3/19             ABC               500             1000

Any help is greatly appreciated.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-04-2019 07:26 PM

Like this:

... | timechart span=1h eval(round(avg(FIELD),0)) AS Response BY Source_Type
| untable _time sourcetype count
| lookup MyThresholdLookup Source_Type
...
0 Karma
Reply

cquinney
Communicator
‎03-04-2019 07:40 PM

Thank you for suggestion but it didn't give the outcome I need. Do you know of a way to to create a new field based on another field or from the lookup?

| eval Normal=Lookup.csv Normal

0 Karma
Reply

woodcock
Esteemed Legend
‎03-04-2019 07:50 PM

Let's start over. Show me:
1: A few raw events
2: Your full search (all of it)
3: Your current output
4: The first 2 lines of your Lookup.csv file
5: A mockup of your desired output

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...