Splunk Search
Highlighted

How can I merge two columns in a timechart?

Path Finder

I'm using the timechart command and I have a chart that looks something like this:

_time                            Column-v01                       Column-v02    
2018-11-21 09:15:00                   12                             13
2018-11-21 09:20:00                23                             11
2018-11-21 09:25:00                34                              2
2018-11-21 09:30:00                32                              3

Is there a way that I can merge 'Column-v01' and 'Column-v02' into a new column called 'Column'? My expected result should look like this:

_time                               Column                          
2018-11-21 09:15:00                   25                             
2018-11-21 09:20:00                34                             
2018-11-21 09:25:00                36                              
2018-11-21 09:30:00                35                 

I have already tried using a rex statement:

| rex field=svc mode=sed "s/Column-v0*/Column/g"

and an eval statement:

| eval field=if(field=="Column-v01" OR field=="Column-v02","Column",field)
But, neither of these worked.

Any help is appreciated!

0 Karma
Highlighted

Re: How can I merge two columns in a timechart?

Communicator

blah blah blah, whatever search creates your first table
|eval Column=(Column-v01 + Column-v02)
|timechart

0 Karma
Highlighted

Re: How can I merge two columns in a timechart?

Path Finder

Unfortunately, this doesn't work for me. 😕

0 Karma
Highlighted

Re: How can I merge two columns in a timechart?

Influencer

After your timechart command, add the below code

|eval Column= Column-v01 + Column-v02 | fields -  Column-v01  Column-v02 

View solution in original post

Highlighted

Re: How can I merge two columns in a timechart?

Path Finder

I've tried this, but it still doesn't work. I don't see those two columns anymore, but there's no new column.

0 Karma
Highlighted

Re: How can I merge two columns in a timechart?

Influencer

This works for me, can you please paste the query you are using.

0 Karma
Highlighted

Re: How can I merge two columns in a timechart?

Path Finder

index=test_index sourcetype=test_st
| timechart span=5m count by field limit=0
|eval Column= Column-v01 + Column-v02
| fields - Column-v01 Column-v02

Changed some names, but this is exactly how I have it formatted. It may also help to know I'm using an older version of Splunk (6.5.5).

0 Karma
Highlighted

Re: How can I merge two columns in a timechart?

Influencer

does this | timechart span=5m count by field limit=0 , give you the column names Column-v01 and Column-v02?

0 Karma
Highlighted

Re: How can I merge two columns in a timechart?

Path Finder

Yes, the column names are there.

0 Karma
Highlighted

Re: How can I merge two columns in a timechart?

Influencer

Can you rename your column names after timechart, and try

index=test_index sourcetype=test_st | timechart span=5m count by field limit=0 |rename  "Column-v01" as v1,"Column-v02" as v2|eval Column= v1 + v2 | fields - v1 v2
0 Karma