Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Wildcards in eval function, to eval unknown fields

sbsbb
Builder
‎08-28-2013 12:51 AM

I'm making a timechart, returning a unknown number of columns.
So I don't know how there named. I make appendcol, to add avg information, so I have :

  field1 field1_avg field2 field2_avg ... fieldN fieldN_avg

08:00 2 3 2 2 4 5

I would like to eval a fieldx_delta=field*-field*_avg

How could I achieved this ?

0 Karma
Reply

royimad
Builder
‎08-28-2013 01:09 AM

split it by consecutive spaces, get the total number then sum all of them divided by the total number. Note: Don't count the last field just count the spaces and add two to the total number. this will assume that time in the field1 is as of other fields so 1 in 3.

If your first fields contains other then time then considered to be the sum. In that case you will have 2 sum one for field1 and one for all other fields the equation will be

parity(sum+sum/2*(Total Number of Spaces + 2) +- 1) this will include 0 instead of all and the equation will not be thrown by null but by +1 or -1. This is not very fundamental it's just an equation where null could be the solution of your problem, don't be very optimistic if the solution is 1 or greater then it will be the sum. 1=sum , if your first field is 1 as other then you will not receive null as solution. In this case null doesn't exist my dear.

0 Karma
Reply

sbsbb
Builder
‎08-28-2013 01:14 AM

I've no spaces, the table above is an example, thats the results I get from splunk :

index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-1h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner | rename * as *_avg, _time as _time | appendcols [search index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-2h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner]

So I think we are not speeking about the same thing , are we ?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...