Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I add an additional calculation to a chart?

andrewtrobec
Motivator
‎11-21-2016 02:53 PM

Hello,

I have two separate chart calculations that I would like to combine into a single chart. The first is an avg calculation on a field grouped by two fields while the second is a distinct_count calculation on another field grouped by one field. So assuming a have four different fields, the two separate chart commands are:

chart avg(FIELD1) by FIELD2, FIELD3
chart distinct_count(FIELD4) by FIELD2

I am trying to combine them so that the distinct_count ends up as the final column of the generated table. I have tried using:

chart avg(FIELD1) distinct_count(FIELD4) by FIELD2, FIELD3

but all that accomplishes is splitting the distinct_count over FIELD3 as well, which is what I don't want.

Is there a way of combining the two so that the distinct_count appears as a column at the end being grouped by FIELD2?

Thank you!

Andrew

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 04:12 PM

Try this

*UPDATED*

.... | eventstats dc(field4) as dc_f4 by field2 | eval field2= field2."#".dc_f4 | chart avg(field1) as average over field2 by field3 | rex field=field2 "(?<field2>[^#]+)#(?<distinct_count>.*)"

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 04:12 PM

Try this

*UPDATED*

.... | eventstats dc(field4) as dc_f4 by field2 | eval field2= field2."#".dc_f4 | chart avg(field1) as average over field2 by field3 | rex field=field2 "(?<field2>[^#]+)#(?<distinct_count>.*)"
Reply
Solved! Jump to solution

lnn2204
Path Finder
‎10-15-2021 07:54 PM

Hi Sundareshr, i got this problem, i want to add value 1 to 2 and remove the Shift0, do you have any solution? ThanksUntitled.png

0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎11-21-2016 10:25 PM

Hello sunhareshr. This works, but adds a new column for each value of FIELD3 instead of just adding one. There is no difference between 

.... | eventstats dc(field4) as dc_f4 by field2 | chart avg(field1) as average values(dc_f4) as dist_count over field2 by field3

and

.... | eventstats dc(field4) as dc_f4 by field2 | chart avg(field1) as average values(dc_f4) as dist_count by field2, field3

any ideas?

Thanks!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 12:53 AM

Try the updated query

0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎11-22-2016 03:26 AM

Thanks, this works! I will do some reverse engineering to figure out the logic behind it. I appreciate your help!

0 Karma
Reply
Solved! Jump to solution

bshuler_splunk
Splunk Employee
Splunk Employee
‎11-21-2016 03:01 PM 
somesearch | chart avg(FIELD1) by FIELD2, FIELD3 | append [search somesearch | chart distinct_count(FIELD4) by FIELD2]
0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎11-21-2016 10:18 PM

Thanks bshuler. The append command adds a new column to the chart, but the values are appended at the bottom as an entire new table. So basically the first half of the table is

chart avg(FIELD1) by FIELD2, FIELD3

with the distinct_count column blank, while the second half of the table is

chart distinct_count(FIELD4) by FIELD2

with all the avg columns blank.

Any ideas?

Thanks!

Andrew

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...