Splunk Search
Highlighted

How to create a timechart from calculated value?

New Member

Hello I have a search to plot the calculated value over time. However the search is not working as expected.

| eval Output1 = Value1 * 10
| eval Output2 = ((10 * (Value2)) + Output1)
| timechart span=1m values(Output2)  by host 

The above search is not plotting the Output2 value graph. If I just change the value for Output1 in eval Output2 then it works i.e.

| eval Output2 = ((10 * (Value2)) + 10)

Is there any other way to timechart calculated value?

0 Karma
Highlighted

Re: How to create a timechart from calculated value?

Builder

could you doublecheck the format of your fields to be numeric?

0 Karma
Highlighted

Re: How to create a timechart from calculated value?

New Member

Output1 field is numeric too.
| eval Output1 = Value1 - 10

0 Karma
Highlighted

Re: How to create a timechart from calculated value?

SplunkTrust
SplunkTrust

I would try like this

| eval Output1 = 'Value1'*10
 | eval Output2 = ((10*'Value2') + 'Output1')
 | timechart span=1m values(Output2)  by host 

The values function may give multivalued field if your data coming multiple times in a minute and nothing will be plotted. If that is the case you may want to different function here (min, max, avg, sum etc instead of values).

View solution in original post

0 Karma
Highlighted

Re: How to create a timechart from calculated value?

New Member

Since the data is coming every minute with the values function there was no data. And I changed to the below query and its working now.

| eval Output1 = 'Value1'*10
| eval Output2 = (10*'Value2')
| timechart span=1m perc90(Output2) eval(avg(Ouput1) + avg(Output2)) as total_out by host

Thanks somesoni2

0 Karma