Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

To generate two sets of values from one field

splunk_rookie
Engager
‎03-22-2021 07:43 PM

Hi all,

I am new to Splunk and I would like to seek help from the Splunk Community to generate the net power consumption with the following conditions:

1. I have two sets of assets namely A and B, which generate a power consumption value. To get the net power consumption (NPC), I will need to subtract the power value of A from B. (NPC=powerB-powerA)

2. The power consumption values are accumulated. To obtain the power consumed by each asset, I subtracted the earliest power value from the latest value. (power=latest-earliest)

The problem which I'm facing now is I can't use the same field (power) to generate the power consumption values for asset A and B. I attempted to do a multisearch because I want both my search to run at the same time but the error which I got was "subsearch contains a non-streaming command".

Below is my search query:

 

| multisearch

[ | stats latest(Power) as latest_A earliest(Power) as earliest_A by A]

[| stats latest(Power) as latest_B earliest(Power) as earliest_B by B] 

 

| eval powerA = latestA - earliestA 

| eval powerB = latestB - earliestB

| eval NPC =  powerB - powerA

 

What are the alternatives way or commands which will make my query work? Please help!

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎03-22-2021 11:49 PM

@splunk_rookie Try below-
 

| stats latest(Power) as latest_power earliest(Power) as earliest_power by Asset
| eval powers = latest_power - earliest_power
| stats sum(eval(if(Asset=="A",powers,0))) as A sum(eval(if(Asset=="B",powers,0))) as B 
| eval NPC = B- A

 

 

 

If this helps an upvote will be appreciated!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎03-22-2021 11:49 PM

@splunk_rookie Try below-
 

| stats latest(Power) as latest_power earliest(Power) as earliest_power by Asset
| eval powers = latest_power - earliest_power
| stats sum(eval(if(Asset=="A",powers,0))) as A sum(eval(if(Asset=="B",powers,0))) as B 
| eval NPC = B- A

 

 

 

If this helps an upvote will be appreciated!

0 Karma
Reply
Solved! Jump to solution

splunk_rookie
Engager
‎03-23-2021 01:37 AM

thanks! it works~

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-22-2021 09:11 PM

Hi @splunk_rookie,

Are the assets A and B different fields in the log file ? Or field values?  Can you please post a sample data for us to help?

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

splunk_rookie
Engager
‎03-22-2021 11:14 PM

Hi @scelikok , 

Assets A and B are from the same field. Sorry, I can't provide the sample data but let me list out the fields which I used. 

1. Asset

2. Power

3. _time

Given that the power value generated by Asset A is a regenerative energy and Asset B is consumption energy,  I had to split the latest(power) and earliest(power) by Asset A and Asset B before subtracting them to obtain the net power consumption. 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...