Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Wildcards in eval function, to eval unknown fields

sbsbb
Builder
‎08-28-2013 12:51 AM

I'm making a timechart, returning a unknown number of columns.
So I don't know how there named. I make appendcol, to add avg information, so I have :

  field1 field1_avg field2 field2_avg ... fieldN fieldN_avg

08:00 2 3 2 2 4 5

I would like to eval a fieldx_delta=field*-field*_avg

How could I achieved this ?

0 Karma
Reply

royimad
Builder
‎08-28-2013 01:09 AM

split it by consecutive spaces, get the total number then sum all of them divided by the total number. Note: Don't count the last field just count the spaces and add two to the total number. this will assume that time in the field1 is as of other fields so 1 in 3.

If your first fields contains other then time then considered to be the sum. In that case you will have 2 sum one for field1 and one for all other fields the equation will be

parity(sum+sum/2*(Total Number of Spaces + 2) +- 1) this will include 0 instead of all and the equation will not be thrown by null but by +1 or -1. This is not very fundamental it's just an equation where null could be the solution of your problem, don't be very optimistic if the solution is 1 or greater then it will be the sum. 1=sum , if your first field is 1 as other then you will not receive null as solution. In this case null doesn't exist my dear.

0 Karma
Reply

sbsbb
Builder
‎08-28-2013 01:14 AM

I've no spaces, the table above is an example, thats the results I get from splunk :

index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-1h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner | rename * as *_avg, _time as _time | appendcols [search index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-2h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner]

So I think we are not speeking about the same thing , are we ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...