Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Wildcards in eval function, to eval unknown fields

sbsbb
Builder
‎08-28-2013 12:51 AM

I'm making a timechart, returning a unknown number of columns.
So I don't know how there named. I make appendcol, to add avg information, so I have :

  field1 field1_avg field2 field2_avg ... fieldN fieldN_avg

08:00 2 3 2 2 4 5

I would like to eval a fieldx_delta=field*-field*_avg

How could I achieved this ?

0 Karma
Reply

royimad
Builder
‎08-28-2013 01:09 AM

split it by consecutive spaces, get the total number then sum all of them divided by the total number. Note: Don't count the last field just count the spaces and add two to the total number. this will assume that time in the field1 is as of other fields so 1 in 3.

If your first fields contains other then time then considered to be the sum. In that case you will have 2 sum one for field1 and one for all other fields the equation will be

parity(sum+sum/2*(Total Number of Spaces + 2) +- 1) this will include 0 instead of all and the equation will not be thrown by null but by +1 or -1. This is not very fundamental it's just an equation where null could be the solution of your problem, don't be very optimistic if the solution is 1 or greater then it will be the sum. 1=sum , if your first field is 1 as other then you will not receive null as solution. In this case null doesn't exist my dear.

0 Karma
Reply

sbsbb
Builder
‎08-28-2013 01:14 AM

I've no spaces, the table above is an example, thats the results I get from splunk :

index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-1h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner | rename * as *_avg, _time as _time | appendcols [search index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-2h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner]

So I think we are not speeking about the same thing , are we ?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...