Re: Make operations between two columns

nalagito · ‎05-19-2022

Hello, I have this query:

| mstats avg(_value) as packets WHERE index=metrics_index sourcetype=network_metrics (metric_name=*.out) ((metric_name="InterfaceEthernetA.*" OR metric_name="InterfaceEthernetB.*") AND (host="hostA" OR host="hostB")) span=1m by metric_name,host 
| rex field=metric_name ".*InterfaceEthernet(?<mn>\d_\d*)"
| eval kbits=packets*8/1000
| timechart span=30m sum(kbits) by mn

It returns this results:

From those results, I would like to make operations generating another column with those results...

For example: (ColumnA - ColumnB) / ColumnA * 100

How could I do that?

gcusello · ‎05-19-2022

Hi @nalagito,

if the values of ColumnA and ColumnB are fixed, you can use the eval command to make the calculation you need.

If instead they aren't fixed, is much more complicated.

Ciao.

Giuseppe

nalagito · ‎05-19-2022

@gcusello

Could you please give me an example? What do you mean with "fixed"?

gcusello · ‎05-19-2022

Hi @nalagito,

if the values of mn are always:

my_mn1,
my_mn2.

in this case you can make operations using my_mn1 and my_mn2 as column name.

Ciao.

Giuseppe

How to Make operations between two columns

chart

field extraction

stats

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services