I have something like this in the stats view in splunk.
field NE1 NE1-L NE2 NE2-1 field-alt
KPI1 30251 125000 22761 126000 KPI1-alt
KPI2 8809 38000 5875 38000 KPI2-alt
KPI3 212130 300000 229172 300000 KPI3-alt
KPI4 107965 160000 111798 160000 KPI4-alt
KPI5 83045 100000 42984 60000 KPI5-alt
KPI6 83229 100000 43081 60000 KPI6-alt
the query is rather long and contrived and looks something like:
index=core host=... |
stats ... | untable userLabel field value | xyseries field userLabel value |
appendcols [
search index=core ... |
stats max|
untable subname field value |
xyseries field subname value |
rename field as field1 |
]
What I want to do is add further columns to the right that are basically doing a arithmetic operation on the values in the row/columns to the left, giving something like:
field NE1 NE1-L NE2 NE2-1 field-alt field2 filed3
KPI1 30251 125000 22761 126000 KPI1-alt NE1/NE1-L NE2/NE2-L
KPI2 8809 38000 5875 38000 KPI2-alt NE1/NE1-L NE2/NE2-L
KPI3 212130 300000 229172 300000 KPI3-alt NE1/NE1-L NE2/NE2-L
KPI4 107965 160000 111798 160000 KPI4-alt NE1/NE1-L NE2/NE2-L
KPI5 83045 100000 42984 60000 KPI5-alt NE1/NE1-L NE2/NE2-L
KPI6 83229 100000 43081 60000 KPI6-alt NE1/NE1-L NE2/NE2-L
How Can I achieve this?
You can add this to the end of your search:
... | eval field2 = NE1/'NE1-L' | eval field3 = NE2/'NE2-L'
Note, you have to single-quote fields that contain a minus sign to avoid Splunk trying to subtract L
from NE1
... try not using fields that contain operators in their name to ease further computing.
You can add this to the end of your search:
... | eval field2 = NE1/'NE1-L' | eval field3 = NE2/'NE2-L'
Note, you have to single-quote fields that contain a minus sign to avoid Splunk trying to subtract L
from NE1
... try not using fields that contain operators in their name to ease further computing.
tks too easy 🙂