How to one index two different device count calcla...

Richard_400 · ‎05-22-2024

I want chart as follow.

I could show count each count value (cannot Calc field)

(index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (index=interface_count devicename IN ($select_device2$) description IN ($select_device$) data_field_name=Rx_counter)
timechart span=5m eval(round(max(eval(Rx/1E5)),1)) as Rx_count by INTinfo1

_time	Device_A Gi0/1 (a)	Device_A Gi0/2 (b)	Device_B Gi0/8 (c)	Calc A+B-C
10:00	100	200	50	250
10:05	100	300	80	320
10:10	150	250	100	300

gcusello · ‎05-22-2024

Hi @Richard_400,

you have to use a function (e.g. count or sum or avg) begore of the eval in the stats command:

(index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (index=interface_count devicename IN ($select_device2$) description IN ($select_device$) data_field_name=Rx_counter)
| timechart span=5m max(Rx/1E5) as Rx_count by INTinfo1

Ciao.

Giuseppe

Richard_400 · ‎05-23-2024

how can I type it?

I tried sum function but it results value A+B+C.

How to one index two different device count calclation

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation