Re: Make operations between two columns

nalagito · ‎05-19-2022

Hello, I have this query:

| mstats avg(_value) as packets WHERE index=metrics_index sourcetype=network_metrics (metric_name=*.out) ((metric_name="InterfaceEthernetA.*" OR metric_name="InterfaceEthernetB.*") AND (host="hostA" OR host="hostB")) span=1m by metric_name,host 
| rex field=metric_name ".*InterfaceEthernet(?<mn>\d_\d*)"
| eval kbits=packets*8/1000
| timechart span=30m sum(kbits) by mn

It returns this results:

From those results, I would like to make operations generating another column with those results...

For example: (ColumnA - ColumnB) / ColumnA * 100

How could I do that?

gcusello · ‎05-19-2022

Hi @nalagito,

if the values of ColumnA and ColumnB are fixed, you can use the eval command to make the calculation you need.

If instead they aren't fixed, is much more complicated.

Ciao.

Giuseppe

nalagito · ‎05-19-2022

@gcusello

Could you please give me an example? What do you mean with "fixed"?

gcusello · ‎05-19-2022

Hi @nalagito,

if the values of mn are always:

my_mn1,
my_mn2.

in this case you can make operations using my_mn1 and my_mn2 as column name.

Ciao.

Giuseppe

How to Make operations between two columns

chart

field extraction

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation