Splunk Search

How can I merge two columns in a timechart?

alanzchan
Path Finder

I'm using the timechart command and I have a chart that looks something like this:

_time                            Column-v01                       Column-v02    
2018-11-21 09:15:00                   12                             13
2018-11-21 09:20:00                23                             11
2018-11-21 09:25:00                34                              2
2018-11-21 09:30:00                32                              3

Is there a way that I can merge 'Column-v01' and 'Column-v02' into a new column called 'Column'? My expected result should look like this:

_time                               Column                          
2018-11-21 09:15:00                   25                             
2018-11-21 09:20:00                34                             
2018-11-21 09:25:00                36                              
2018-11-21 09:30:00                35                 

I have already tried using a rex statement:

| rex field=svc mode=sed "s/Column-v0*/Column/g"

and an eval statement:

| eval field=if(field=="Column-v01" OR field=="Column-v02","Column",field)
But, neither of these worked.

Any help is appreciated!

0 Karma
1 Solution

Vijeta
Influencer

After your timechart command, add the below code

|eval Column= Column-v01 + Column-v02 | fields -  Column-v01  Column-v02 

View solution in original post

Vijeta
Influencer

After your timechart command, add the below code

|eval Column= Column-v01 + Column-v02 | fields -  Column-v01  Column-v02 

alanzchan
Path Finder

I've tried this, but it still doesn't work. I don't see those two columns anymore, but there's no new column.

0 Karma

Vijeta
Influencer

This works for me, can you please paste the query you are using.

0 Karma

alanzchan
Path Finder

index=test_index sourcetype=test_st
| timechart span=5m count by field limit=0
|eval Column= Column-v01 + Column-v02
| fields - Column-v01 Column-v02

Changed some names, but this is exactly how I have it formatted. It may also help to know I'm using an older version of Splunk (6.5.5).

0 Karma

Vijeta
Influencer

does this | timechart span=5m count by field limit=0 , give you the column names Column-v01 and Column-v02?

0 Karma

alanzchan
Path Finder

Yes, the column names are there.

0 Karma

Vijeta
Influencer

Can you rename your column names after timechart, and try

index=test_index sourcetype=test_st | timechart span=5m count by field limit=0 |rename  "Column-v01" as v1,"Column-v02" as v2|eval Column= v1 + v2 | fields - v1 v2
0 Karma

alanzchan
Path Finder

Thank you, Vijeta. This works perfect.

0 Karma

anthonymelita
Contributor

blah blah blah, whatever search creates your first table
|eval Column=(Column-v01 + Column-v02)
|timechart

0 Karma

alanzchan
Path Finder

Unfortunately, this doesn't work for me. 😕

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...