Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to perform subtraction on results?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm currently using this in a search:
index=OS sourcetype=cpu | timechart avg(pctIdle) by host
This typically gives a result of around 96% for the host I'm running the query on. I want to subtract that from 100 to give a result of 4%. I know this should be simple, but I haven't got it to work yet. Any help is appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So after you timechart command, you'll get column _time and one column for each host with name of the column being the host name (e.g. _time host1 host2 etc). How to do any operation on those fields, you'd need to use the exact field name (which is the host name), so you can either use the hardcoded name of the host like this (putting it in single quotes in the expression parts as it may have special chars)
index=OS sourcetype=cpu | timechart avg(pctIdle) by host
| eval "HardCodedHostName"=100-'HardCodedHostName'
OR if you want to do this for all host columns, you can use this foreach command (the <<FIELD>> to be used literally the way it's used here, no replacement required. see this for more details on foreach command)
index=OS sourcetype=cpu | timechart avg(pctIdle) by host
| foreach * [| eval "<<FIELD>>"=100-'<<FIELD>>'] [1]:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brosselle
try this below query
index=OS sourcetype=cpu | timechart avg(pctIdle) by host |eval calc = (100 - 'hostfieldnamefrompreviuosresults') | fields calc hostfieldnamefrompreviuosresults
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So after you timechart command, you'll get column _time and one column for each host with name of the column being the host name (e.g. _time host1 host2 etc). How to do any operation on those fields, you'd need to use the exact field name (which is the host name), so you can either use the hardcoded name of the host like this (putting it in single quotes in the expression parts as it may have special chars)
index=OS sourcetype=cpu | timechart avg(pctIdle) by host
| eval "HardCodedHostName"=100-'HardCodedHostName'
OR if you want to do this for all host columns, you can use this foreach command (the <<FIELD>> to be used literally the way it's used here, no replacement required. see this for more details on foreach command)
index=OS sourcetype=cpu | timechart avg(pctIdle) by host
| foreach * [| eval "<<FIELD>>"=100-'<<FIELD>>'] [1]:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow. I would have never come up with this:
| foreach * [| eval "<>"=100-'<>']
Worked perfectly. Thank you!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
