Solved: How can I merge two columns in a timechart?

alanzchan · ‎11-21-2018

I'm using the timechart command and I have a chart that looks something like this:

_time                            Column-v01                       Column-v02    
2018-11-21 09:15:00                   12                             13
2018-11-21 09:20:00                23                             11
2018-11-21 09:25:00                34                              2
2018-11-21 09:30:00                32                              3

Is there a way that I can merge 'Column-v01' and 'Column-v02' into a new column called 'Column'? My expected result should look like this:

_time                               Column                          
2018-11-21 09:15:00                   25                             
2018-11-21 09:20:00                34                             
2018-11-21 09:25:00                36                              
2018-11-21 09:30:00                35

I have already tried using a rex statement:

| rex field=svc mode=sed "s/Column-v0*/Column/g"

and an eval statement:

| eval field=if(field=="Column-v01" OR field=="Column-v02","Column",field)
But, neither of these worked.

Any help is appreciated!

Vijeta · ‎11-21-2018

After your timechart command, add the below code

|eval Column= Column-v01 + Column-v02 | fields -  Column-v01  Column-v02

View solution in original post

Vijeta · ‎11-21-2018

After your timechart command, add the below code

|eval Column= Column-v01 + Column-v02 | fields -  Column-v01  Column-v02

alanzchan · ‎11-21-2018

I've tried this, but it still doesn't work. I don't see those two columns anymore, but there's no new column.

Vijeta · ‎11-21-2018

This works for me, can you please paste the query you are using.

alanzchan · ‎11-21-2018

index=test_index sourcetype=test_st | timechart span=5m count by field limit=0 |eval Column= Column-v01 + Column-v02 | fields - Column-v01 Column-v02

Changed some names, but this is exactly how I have it formatted. It may also help to know I'm using an older version of Splunk (6.5.5).

Vijeta · ‎11-21-2018

does this | timechart span=5m count by field limit=0 , give you the column names Column-v01 and Column-v02?

alanzchan · ‎11-21-2018

Yes, the column names are there.

Vijeta · ‎11-21-2018

Can you rename your column names after timechart, and try

index=test_index sourcetype=test_st | timechart span=5m count by field limit=0 |rename  "Column-v01" as v1,"Column-v02" as v2|eval Column= v1 + v2 | fields - v1 v2

alanzchan · ‎11-21-2018

Thank you, Vijeta. This works perfect.

anthonymelita · ‎11-21-2018

blah blah blah, whatever search creates your first table
|eval Column=(Column-v01 + Column-v02)
|timechart

alanzchan · ‎11-21-2018

Unfortunately, this doesn't work for me. 😕

How can I merge two columns in a timechart?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How can I merge two columns in a timechart?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25