Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Timechart with eval

cet
Engager
‎01-07-2014 12:46 AM

We are showing a timechart with bandwidth in kilobits per second. We would like to transform this data into kilobytes per second. So the value of bandwidth divided by 1024.

This is the query:

name="Bandwidth by Client"  (515502 OR 410407 OR 414565 OR 444422 OR 777777) | timechart median(measures.Bandwidth) by "dimensions.Client Name"

I tried various things, such as adding an eval before, and then piping it on to the timechart, and also adding an eval function around the median function. But nothing seems to work.

We are using Splunk 6.0.1

Thank you in advance
Gidon

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-07-2014 12:57 AM

Hi cet,

assuming your kilobits field name is measures.Bandwidth you can do the following:

name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777) | eval measures.Bandwidth='measures.Bandwidth'/1024 | timechart median(measures.Bandwidth) by "dimensions.Client Name"

you can also rename the median in the timechart like this:

name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777) | eval measures.Bandwidth='measures.Bandwidth'/1024 | timechart median(measures.Bandwidth) AS median.KB.Bandwidth by "dimensions.Client Name"

watch out for the '' around the field name in eval, else eval will not ignore the dot in the name. Or rename your field to something without . in the name before the eval.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-07-2014 12:57 AM

Hi cet,

assuming your kilobits field name is measures.Bandwidth you can do the following:

name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777) | eval measures.Bandwidth='measures.Bandwidth'/1024 | timechart median(measures.Bandwidth) by "dimensions.Client Name"

you can also rename the median in the timechart like this:

name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777) | eval measures.Bandwidth='measures.Bandwidth'/1024 | timechart median(measures.Bandwidth) AS median.KB.Bandwidth by "dimensions.Client Name"

watch out for the '' around the field name in eval, else eval will not ignore the dot in the name. Or rename your field to something without . in the name before the eval.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-07-2014 01:22 AM

you're welcome 🙂

0 Karma
Reply
Solved! Jump to solution

cet
Engager
‎01-07-2014 01:17 AM

GREAT!!! Thanks a million!

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-07-2014 01:11 AM

facepalm stupid me, see my update to fix it 😉

0 Karma
Reply
Solved! Jump to solution

cet
Engager
‎01-07-2014 01:08 AM

did you mean:

name="Bandwidth by Client" (515502 OR 410407 OR 414565 OR 444422 OR 777777)| eval measures.Bandwidth=measures.Bandwidth/1024

this does return events. I also checked that measurs.Bandwidth is a number, and yes splunk recognizes it as a number.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-07-2014 01:04 AM

remove everything after the eval and see if you get anything

0 Karma
Reply
Solved! Jump to solution

cet
Engager
‎01-07-2014 01:03 AM

Once I add the eval expression , my timechart stops working. The statistics tab shows 0 stats. What could be the problem?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...