Splunk Search

How to multiply one event value by another event value?

Thail
Explorer

Might be simple, but i run a search for tags and values and i get the information. What is the proper syntax to multiply one event value by another event value?

Thanks in advance.

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

There isn't one.  Events are treated separately so Splunk can't work with values from different events.  Exceptions exist for certain functions (range, for instance) in aggregating commands.

Tell us more about the problem you're trying to solve and perhaps we can suggest a solution.

---
If this reply helps you, Karma would be appreciated.

Thail
Explorer

Thail_0-1645813312583.png

I just want to be able to multiply these two values without needing to do it at the PLC level

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Those two events will have to be combined into a single event so Splunk can "see" both values at the same time and work with them.  One problem, however, is there appears to be nothing in common between the events that would tell Splunk they should be joined.  Can you elaborate on the use case, please?

---
If this reply helps you, Karma would be appreciated.

Thail
Explorer

Only 2 tags from the plc to multiply to get "production per hour"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If there are only 2 results then this should do the job.

index=foo Tag="Twin_PLC.Twin_PLC.Global.ProdTrend"
| rename Value was ProdTrend
| appendcols [ index=foo Tag="Board Edger.Edger_PLC.Global.DailyBlkAvg" | rename Value as DailyBlkAvg ]
| eval product=ProdTrend * DailyBlkAvg
| table ProdTrend DailyBlkAvg product

If there are more than 2 results then Splunk will need to know how to pair them so the calculations are accurate.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Thail
Explorer

this one didnt quite work...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I can't see your screen from here so you'll have to write down what results you got and what results you expected to get.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...