Splunk Search

Question on basic subtraction in time charts

clintla
Communicator

Per below- my Total Configured_Space & Free_Space work great.

timechart eval(sum(Logical_Capacity_Blocks) / 2097152000) as Configured_Space,eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space, eval(Configured_Space - Free_Space)

Now I'd like to have a listing of consumed space in my chart which means I really need
to subtract Free_Space from Configured_Space & I've tried several variations which
dont really work.
keep getting

Error in 'timechart' command: The eval expression has no fields: 'WDC_Configured_Space - Free_Space'

I've found the doc's page & it never really comes out & says how to subtract.
http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Eval

What is the correct syntax to do subtraction?

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi Clintla

well I can fire up your command like this:

* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space

it runs without any error and brings up an result.

cheers

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi Clintla

well I can fire up your command like this:

* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space

it runs without any error and brings up an result.

cheers

View solution in original post

clintla
Communicator

Thanks, That works... I feel like I got what I asked for & not what I wanted. I used a , instead of a pipe.

Not really sure why there is not more documentation on
Do's & donts.

I'd like to have a graph of used/free space but the above
throws in total space which messes up the graph.

try things like
source="OSDC" | timechart eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval Consumed_space = eval(sum(Logical_Capacity_Blocks) / 2097152000) - Free_Space

& it tells me SUM is not supported. puzzling.

other tries- says no fields.

I'll try some more.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi clintla

have you tried the following eval?

eval consumed_space = Configured_Space - Free_Space

regrads

splunkpoornima
Communicator

hi i also got the same error

0 Karma

clintla
Communicator

I think so. Get this error

Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form (). For example: max(size).

0 Karma