Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Wildcards in eval function, to eval unknown fields

sbsbb
Builder
‎08-28-2013 12:51 AM

I'm making a timechart, returning a unknown number of columns.
So I don't know how there named. I make appendcol, to add avg information, so I have :

  field1 field1_avg field2 field2_avg ... fieldN fieldN_avg

08:00 2 3 2 2 4 5

I would like to eval a fieldx_delta=field*-field*_avg

How could I achieved this ?

0 Karma
Reply

royimad
Builder
‎08-28-2013 01:09 AM

split it by consecutive spaces, get the total number then sum all of them divided by the total number. Note: Don't count the last field just count the spaces and add two to the total number. this will assume that time in the field1 is as of other fields so 1 in 3.

If your first fields contains other then time then considered to be the sum. In that case you will have 2 sum one for field1 and one for all other fields the equation will be

parity(sum+sum/2*(Total Number of Spaces + 2) +- 1) this will include 0 instead of all and the equation will not be thrown by null but by +1 or -1. This is not very fundamental it's just an equation where null could be the solution of your problem, don't be very optimistic if the solution is 1 or greater then it will be the sum. 1=sum , if your first field is 1 as other then you will not receive null as solution. In this case null doesn't exist my dear.

0 Karma
Reply

sbsbb
Builder
‎08-28-2013 01:14 AM

I've no spaces, the table above is an example, thats the results I get from splunk :

index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-1h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner | rename * as *_avg, _time as _time | appendcols [search index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-2h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner]

So I think we are not speeking about the same thing , are we ?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...