Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to display the difference between the resu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thewho123
Explorer
05-23-2016
04:16 PM
I display two different graphs by using the following strings.
"Sending" earliest=-7days | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) AS "Gigabytes sent"
"Receiving" earliest=-7days | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) AS "Gigabytes received"
I can display both in the same graph by:
"Sending" earliest=-7days | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) AS "Gigabytes sent" | appendcols [search "Receiving" earliest=-7days | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) AS "Gigabytes received"]
This gives me two lines (each has a value for one day for the past 7 days).
How do I display the difference between gigabytes sent and received? I want to display Gigabytes sent - gigabytes received for each day for the past 7 days.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
05-23-2016
04:27 PM
Try this
"Sending" OR "Receiving" earliest=-7days | rex "(?<action>Sending|Receiving)" | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) as gb by action | eval diff=Sending-Receiving
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
05-23-2016
04:27 PM
Try this
"Sending" OR "Receiving" earliest=-7days | rex "(?<action>Sending|Receiving)" | eval gigabytes=((bytes/1024)/1024) | timechart span=1day avg(gigabytes) as gb by action | eval diff=Sending-Receiving
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thewho123
Explorer
05-23-2016
04:34 PM
Is the syntax correct? I get null for y-axis description.
Also avg bytes from sending and receiving should be separate. Wouldn't this combine all of them together ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
05-23-2016
05:46 PM
Do you not see columns for Sending and Receiving? The avg(gb) will be calculated separately for each action. If NULL is the third column, you could add usenull=f to the timechart command. You search would look like this
index=myIndex sourcetype=mySourcetype "Sending" OR "Receiving" earliest=-7d@d | rex "(?<action>Sending|Receiving)" | eval gigabytes=((bytes/1024)/1024) | timechart usenull=f span=1day avg(gigabytes) as gb by action | eval diff=Sending-Receiving
Get Updates on the Splunk Community!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
