Solved: How to manipulate stats or chart results mathemati...

MaxwellCrew · ‎07-18-2018

Hey everyone,

I've got a search

search = *
| eval _time=_time - (6*60*60) 
| bucket _time span=1d

# Takes the current time and rolls it back six hours. We operate on a 6am-6am reporting schedule.

| eval MaterialType = case(match(lotNumber,"regex") OR lotNumber = "WasteLots","Waste",match(field1,"regex"),"Production")

# Designates each event as a waste event (using the Lot #) or a production event (using the value in field1)

| where isnotnull(MaterialType)
| eval time = strftime(_time,"%m/%d/%y")
| chart sum(netWeightQty) by time, MaterialType
| eval _time=_time + (6*60*60)

Now this | chart generates the following:

How can I get a value, for each date, of Waste% = 100 * Waste / (Production + Waste)?

Thanks!

renjith_nair · ‎07-18-2018

@MaxwellCrew,

Just add the same to the end of your search i.e

|eval "Waste%" = (100 * Waste) / (Production + Waste)

Happy Splunking!

View solution in original post

renjith_nair · ‎07-18-2018

@MaxwellCrew,

Just add the same to the end of your search i.e

|eval "Waste%" = (100 * Waste) / (Production + Waste)

Happy Splunking!

MaxwellCrew · ‎07-18-2018

Welp. Definitely didn't realize it was that easy.

MaxwellCrew · ‎07-18-2018

Quick question: how can I go about getting the visualization to work? I am using the "Single value" option, with trend, and it is only taking the waste% value for the first date in the span and reporting it.

Edit: Playing around with the | timechart command now.

renjith_nair · ‎07-18-2018

Alright, just one suggestion - try not to change the _time . use another variable for calculations to and use that variable instead.

Happy Splunking!

How to manipulate stats or chart results mathematically?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms