Solved: Questions on Variable Manipulation.

clintla · ‎08-31-2011

I've got a chart that works great but just wanting to re-arrange the result.

timechart eval(sum(Logical_Capacity_Blocks)/ 2047752704) as Configured_Capacity, eval(sum(Free_Capacity_Blocks_non_contiguous)/ 2047752704) as Free_Space,

So this gives me 2 working variables
Configured_Capacity
Free_Space

Seems reasonable to be able to subtract the 2 at the end of the search.

Wanting to end with a Graph where I can stack Used & Free Space
to show my capacity but many variations per below just dont work.

timechart eval(sum(Logical_Capacity_Blocks)/ 2047752704) as Configured_Capacity, eval(sum(Free_Capacity_Blocks_non_contiguous)/ 2047752704) as Free_Space, eval(Configured_Capacity - Free_Space)

Seems like it should be an easy process but so far- its been tougher than expected.
Hoping I can get someone to show me some other ways to do this.

Thanks,
Clint

eelisio2 · ‎08-31-2011

The following results in 3 values being charted over time.
| timechart eval(sum(pctCPU)*5) as sumcpu, eval(sum(pctMEM)*5) as summem | eval mydiff=(sumcpu+summem)/10
The calculations are not meaningful. Just an example for form.
I ran this search in the Splunk Search App - Advanced Charting View.
My chart shows sumcpu, summem and mydiff charted over time without adding anything after the last eval command.

View solution in original post

eelisio2 · ‎08-31-2011

The following results in 3 values being charted over time.
| timechart eval(sum(pctCPU)*5) as sumcpu, eval(sum(pctMEM)*5) as summem | eval mydiff=(sumcpu+summem)/10
The calculations are not meaningful. Just an example for form.
I ran this search in the Splunk Search App - Advanced Charting View.
My chart shows sumcpu, summem and mydiff charted over time without adding anything after the last eval command.

eelisio2 · ‎09-02-2011

| stats sum(Logical_CapacityBlocks) as sumconf, sum(Free_CapacityBlocks) as sumfree by _time| eval Configured_Capacity=sumconf/2047752704 | eval Free_Space=sumfree/2047752704 | eval Used_Space=Configured_Capacity-Free_Space | chart values(Used_Space) as Used_Space, values(Free_Space) as Free_Space over _time

clintla · ‎09-01-2011

Thanks, One of the Auto-Fields changed. I changed it back & now I get all 3 lists correctly.

So I guess what is left is now that I have my 3 columns. I only wanted capacity for calculations. How do I tell it only graph used & free?

eelisio2 · ‎09-01-2011

Are you running the timechart search in the Advanced Charting View?

If you add "| table Used_Space Configured_Capacity Free_Space" to the end of the search and run in the regular search tab, do you see results?

clintla · ‎09-01-2011

With the "timechart eval(sum(Logical_CapacityBlocks_)/ 2047752704) as Configured_Capacity, eval(sum(Free_CapacityBlocks_non_contiguous_)/ 2047752704) as Free_Space | eval Used_Space=(Configured_Capacity - Free_Space)" search-

It does not add a column for Used_Space, nor does it
list any values. (although it does not give an error &
does find all the values with the green checked matching events) Not sure why your sample w/ CPU does, not sure whats different.

eelisio2 · ‎08-31-2011

Using your timechart syntax above in the Advanced Charting View,
timechart eval(sum(Logical_CapacityBlocks_)/ 2047752704) as Configured_Capacity, eval(sum(Free_CapacityBlocks_non_contiguous_)/ 2047752704) as Free_Space
| eval Used_Space=(Configured_Capacity - Free_Space)

should chart all 3 values (Configured_Capacity, Free_Space, Used_Space)

clintla · ‎08-31-2011

Thanks for the reply,

So I dont get an error with the changes per above.
Should something like below added to the end work?

| timechart values(Used_Space),values(Free_Space)

(only have 1 entry & that doesnt show any info).
Is there a better way to chart it?

Questions on Variable Manipulation.

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk