Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question on basic subtraction in time charts

clintla
Contributor
‎07-01-2011 02:51 PM

Per below- my Total Configured_Space & Free_Space work great.

timechart eval(sum(Logical_Capacity_Blocks) / 2097152000) as Configured_Space,eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space, eval(Configured_Space - Free_Space)

Now I'd like to have a listing of consumed space in my chart which means I really need
to subtract Free_Space from Configured_Space & I've tried several variations which
dont really work.
keep getting

Error in 'timechart' command: The eval expression has no fields: 'WDC_Configured_Space - Free_Space'

I've found the doc's page & it never really comes out & says how to subtract.
http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Eval

What is the correct syntax to do subtraction?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎07-05-2011 09:54 PM

Hi Clintla

well I can fire up your command like this:

* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space

it runs without any error and brings up an result.

cheers

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎07-05-2011 09:54 PM

Hi Clintla

well I can fire up your command like this:

* | timechart eval(sum(Logical_Capacity_Blocks_) / 2097152000) as Configured_Space, eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval consumed_space = Configured_Space - Free_Space

it runs without any error and brings up an result.

cheers

Reply
Solved! Jump to solution

clintla
Contributor
‎07-06-2011 03:04 PM

Thanks, That works... I feel like I got what I asked for & not what I wanted. I used a , instead of a pipe.

Not really sure why there is not more documentation on
Do's & donts.

I'd like to have a graph of used/free space but the above
throws in total space which messes up the graph.

try things like
source="OSDC" | timechart eval(sum(Free_contiguous_group_of_unbound_segments) / 2097152000) as Free_Space | eval Consumed_space = eval(sum(Logical_Capacity_Blocks) / 2097152000) - Free_Space

& it tells me SUM is not supported. puzzling.

other tries- says no fields.

I'll try some more.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎07-03-2011 11:32 PM

Hi clintla

have you tried the following eval?

eval consumed_space = Configured_Space - Free_Space

regrads

Reply
Solved! Jump to solution

splunkpoornima
Communicator
‎10-16-2012 03:39 AM

hi i also got the same error

0 Karma
Reply
Solved! Jump to solution

clintla
Contributor
‎07-05-2011 09:32 AM

I think so. Get this error

Error in 'timechart' command: The specifier 'eval' is invalid. It must be in form (). For example: max(size).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...