I'm using the timechart command and I have a chart that looks something like this:
_time Column-v01 Column-v02
2018-11-21 09:15:00 12 13
2018-11-21 09:20:00 23 11
2018-11-21 09:25:00 34 2
2018-11-21 09:30:00 32 3
Is there a way that I can merge 'Column-v01' and 'Column-v02' into a new column called 'Column'? My expected result should look like this:
_time Column
2018-11-21 09:15:00 25
2018-11-21 09:20:00 34
2018-11-21 09:25:00 36
2018-11-21 09:30:00 35
I have already tried using a rex statement:
| rex field=svc mode=sed "s/Column-v0*/Column/g"
and an eval statement:
| eval field=if(field=="Column-v01" OR field=="Column-v02","Column",field)
But, neither of these worked.
Any help is appreciated!
After your timechart command, add the below code
|eval Column= Column-v01 + Column-v02 | fields - Column-v01 Column-v02
After your timechart command, add the below code
|eval Column= Column-v01 + Column-v02 | fields - Column-v01 Column-v02
I've tried this, but it still doesn't work. I don't see those two columns anymore, but there's no new column.
This works for me, can you please paste the query you are using.
index=test_index sourcetype=test_st
| timechart span=5m count by field limit=0
|eval Column= Column-v01 + Column-v02
| fields - Column-v01 Column-v02
Changed some names, but this is exactly how I have it formatted. It may also help to know I'm using an older version of Splunk (6.5.5).
does this | timechart span=5m count by field limit=0
, give you the column names Column-v01 and Column-v02?
Yes, the column names are there.
Can you rename your column names after timechart, and try
index=test_index sourcetype=test_st | timechart span=5m count by field limit=0 |rename "Column-v01" as v1,"Column-v02" as v2|eval Column= v1 + v2 | fields - v1 v2
Thank you, Vijeta. This works perfect.
blah blah blah, whatever search creates your first table
|eval Column=(Column-v01 + Column-v02)
|timechart
Unfortunately, this doesn't work for me. 😕