Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Wildcards in eval function, to eval unknown fields

sbsbb
Builder
‎08-28-2013 12:51 AM

I'm making a timechart, returning a unknown number of columns.
So I don't know how there named. I make appendcol, to add avg information, so I have :

  field1 field1_avg field2 field2_avg ... fieldN fieldN_avg

08:00 2 3 2 2 4 5

I would like to eval a fieldx_delta=field*-field*_avg

How could I achieved this ?

0 Karma
Reply

royimad
Builder
‎08-28-2013 01:09 AM

split it by consecutive spaces, get the total number then sum all of them divided by the total number. Note: Don't count the last field just count the spaces and add two to the total number. this will assume that time in the field1 is as of other fields so 1 in 3.

If your first fields contains other then time then considered to be the sum. In that case you will have 2 sum one for field1 and one for all other fields the equation will be

parity(sum+sum/2*(Total Number of Spaces + 2) +- 1) this will include 0 instead of all and the equation will not be thrown by null but by +1 or -1. This is not very fundamental it's just an equation where null could be the solution of your problem, don't be very optimistic if the solution is 1 or greater then it will be the sum. 1=sum , if your first field is 1 as other then you will not receive null as solution. In this case null doesn't exist my dear.

0 Karma
Reply

sbsbb
Builder
‎08-28-2013 01:14 AM

I've no spaces, the table above is an example, thats the results I get from splunk :

index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-1h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner | rename * as *_avg, _time as _time | appendcols [search index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-2h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner]

So I think we are not speeking about the same thing , are we ?

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...