Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question on basic subtraction in time charts

clintla
Contributor
‎07-01-2011 02:51 PM

Per below- my Total Configured_Space & Free_Space work great.

timechart eval(sum(Logical_Capacity_Blocks) / 2097152000) as Configured_Space,eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space, eval(Configured_Space - Free_Space)

Now I'd like to have a listing of consumed space in my chart which means I really need
to subtract Free_Space from Configured_Space & I've tried several variations which
dont really work.
keep getting

Error in 'timechart' command: The eval expression has no fields: 'WDC_Configured_Space - Free_Space'

I've found the doc's page & it never really comes out & says how to subtract.
http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Eval

What is the correct syntax to do subtraction?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎07-05-2011 09:54 PM

Hi Clintla

well I can fire up your command like this:

* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space

it runs without any error and brings up an result.

cheers

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎07-05-2011 09:54 PM

Hi Clintla

well I can fire up your command like this:

* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space

it runs without any error and brings up an result.

cheers

Reply
Solved! Jump to solution

clintla
Contributor
‎07-06-2011 03:04 PM

Thanks, That works... I feel like I got what I asked for & not what I wanted. I used a , instead of a pipe.

Not really sure why there is not more documentation on
Do's & donts.

I'd like to have a graph of used/free space but the above
throws in total space which messes up the graph.

try things like
source="OSDC" | timechart eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval Consumed_space = eval(sum(Logical_Capacity_Blocks) / 2097152000) - Free_Space

& it tells me SUM is not supported. puzzling.

other tries- says no fields.

I'll try some more.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-03-2011 11:32 PM

Hi clintla

have you tried the following eval?

eval consumed_space = Configured_Space - Free_Space

regrads

Reply
Solved! Jump to solution

splunkpoornima
Communicator
‎10-16-2012 03:39 AM

hi i also got the same error

0 Karma
Reply
Solved! Jump to solution

clintla
Contributor
‎07-05-2011 09:32 AM

I think so. Get this error

Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form (). For example: max(size).

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...