Solved: How can I merge two columns in a timechart?

alanzchan · ‎11-21-2018

I'm using the timechart command and I have a chart that looks something like this:

_time                            Column-v01                       Column-v02    
2018-11-21 09:15:00                   12                             13
2018-11-21 09:20:00                23                             11
2018-11-21 09:25:00                34                              2
2018-11-21 09:30:00                32                              3

Is there a way that I can merge 'Column-v01' and 'Column-v02' into a new column called 'Column'? My expected result should look like this:

_time                               Column                          
2018-11-21 09:15:00                   25                             
2018-11-21 09:20:00                34                             
2018-11-21 09:25:00                36                              
2018-11-21 09:30:00                35

I have already tried using a rex statement:

| rex field=svc mode=sed "s/Column-v0*/Column/g"

and an eval statement:

| eval field=if(field=="Column-v01" OR field=="Column-v02","Column",field)
But, neither of these worked.

Any help is appreciated!

Vijeta · ‎11-21-2018

After your timechart command, add the below code

|eval Column= Column-v01 + Column-v02 | fields -  Column-v01  Column-v02

View solution in original post

Vijeta · ‎11-21-2018

After your timechart command, add the below code

|eval Column= Column-v01 + Column-v02 | fields -  Column-v01  Column-v02

alanzchan · ‎11-21-2018

I've tried this, but it still doesn't work. I don't see those two columns anymore, but there's no new column.

Vijeta · ‎11-21-2018

This works for me, can you please paste the query you are using.

alanzchan · ‎11-21-2018

index=test_index sourcetype=test_st | timechart span=5m count by field limit=0 |eval Column= Column-v01 + Column-v02 | fields - Column-v01 Column-v02

Changed some names, but this is exactly how I have it formatted. It may also help to know I'm using an older version of Splunk (6.5.5).

Vijeta · ‎11-21-2018

does this | timechart span=5m count by field limit=0 , give you the column names Column-v01 and Column-v02?

alanzchan · ‎11-21-2018

Yes, the column names are there.

Vijeta · ‎11-21-2018

Can you rename your column names after timechart, and try

index=test_index sourcetype=test_st | timechart span=5m count by field limit=0 |rename  "Column-v01" as v1,"Column-v02" as v2|eval Column= v1 + v2 | fields - v1 v2

alanzchan · ‎11-21-2018

Thank you, Vijeta. This works perfect.

anthonymelita · ‎11-21-2018

blah blah blah, whatever search creates your first table
|eval Column=(Column-v01 + Column-v02)
|timechart

alanzchan · ‎11-21-2018

Unfortunately, this doesn't work for me. 😕

How can I merge two columns in a timechart?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation