Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to one index two different device count calclation

Richard_400
Engager
‎05-22-2024 10:29 PM

I want chart as follow.

I could show count each count value (cannot Calc field)

(index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (index=interface_count devicename IN ($select_device2$) description IN ($select_device$) data_field_name=Rx_counter)
timechart span=5m eval(round(max(eval(Rx/1E5)),1)) as Rx_count by INTinfo1
_time Device_A Gi0/1 (a) Device_A Gi0/2 (b) Device_B Gi0/8 (c) Calc A+B-C
10:00 100 200 50 250
10:05 100 300 80 320
10:10 150 250 100 300

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-22-2024 11:44 PM

Hi @Richard_400,

you have to use a function (e.g. count or sum or avg) begore of the eval in the stats command:

 

(index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (index=interface_count devicename IN ($select_device2$) description IN ($select_device$) data_field_name=Rx_counter)
| timechart span=5m max(Rx/1E5) as Rx_count by INTinfo1

 

Ciao.

Giuseppe

0 Karma
Reply

Richard_400
Engager
‎05-23-2024 05:14 AM

how can I type it?

I tried sum function but it results value A+B+C. 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...