Splunk Search

Question on basic subtraction in time charts

clintla
Contributor

Per below- my Total Configured_Space & Free_Space work great.

timechart eval(sum(Logical_Capacity_Blocks) / 2097152000) as Configured_Space,eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space, eval(Configured_Space - Free_Space)

Now I'd like to have a listing of consumed space in my chart which means I really need
to subtract Free_Space from Configured_Space & I've tried several variations which
dont really work.
keep getting

Error in 'timechart' command: The eval expression has no fields: 'WDC_Configured_Space - Free_Space'

I've found the doc's page & it never really comes out & says how to subtract.
http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Eval

What is the correct syntax to do subtraction?

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi Clintla

well I can fire up your command like this:

* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space

it runs without any error and brings up an result.

cheers

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi Clintla

well I can fire up your command like this:

* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space

it runs without any error and brings up an result.

cheers

clintla
Contributor

Thanks, That works... I feel like I got what I asked for & not what I wanted. I used a , instead of a pipe.

Not really sure why there is not more documentation on
Do's & donts.

I'd like to have a graph of used/free space but the above
throws in total space which messes up the graph.

try things like
source="OSDC" | timechart eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval Consumed_space = eval(sum(Logical_Capacity_Blocks) / 2097152000) - Free_Space

& it tells me SUM is not supported. puzzling.

other tries- says no fields.

I'll try some more.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi clintla

have you tried the following eval?

eval consumed_space = Configured_Space - Free_Space

regrads

splunkpoornima
Communicator

hi i also got the same error

0 Karma

clintla
Contributor

I think so. Get this error

Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form (). For example: max(size).

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...