Solved: How to manipulate stats or chart results mathemati...

MaxwellCrew · ‎07-18-2018

Hey everyone,

I've got a search

search = *
| eval _time=_time - (6*60*60) 
| bucket _time span=1d

# Takes the current time and rolls it back six hours. We operate on a 6am-6am reporting schedule.

| eval MaterialType = case(match(lotNumber,"regex") OR lotNumber = "WasteLots","Waste",match(field1,"regex"),"Production")

# Designates each event as a waste event (using the Lot #) or a production event (using the value in field1)

| where isnotnull(MaterialType)
| eval time = strftime(_time,"%m/%d/%y")
| chart sum(netWeightQty) by time, MaterialType
| eval _time=_time + (6*60*60)

Now this | chart generates the following:

How can I get a value, for each date, of Waste% = 100 * Waste / (Production + Waste)?

Thanks!

renjith_nair · ‎07-18-2018

@MaxwellCrew,

Just add the same to the end of your search i.e

|eval "Waste%" = (100 * Waste) / (Production + Waste)

Happy Splunking!

View solution in original post

renjith_nair · ‎07-18-2018

@MaxwellCrew,

Just add the same to the end of your search i.e

|eval "Waste%" = (100 * Waste) / (Production + Waste)

Happy Splunking!

MaxwellCrew · ‎07-18-2018

Welp. Definitely didn't realize it was that easy.

MaxwellCrew · ‎07-18-2018

Quick question: how can I go about getting the visualization to work? I am using the "Single value" option, with trend, and it is only taking the waste% value for the first date in the span and reporting it.

Edit: Playing around with the | timechart command now.

renjith_nair · ‎07-18-2018

Alright, just one suggestion - try not to change the _time . use another variable for calculations to and use that variable instead.

Happy Splunking!

How to manipulate stats or chart results mathematically?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor