Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

calculating values in new rows/columns and appending based on values in existing rows/columns

HattrickNZ
Motivator
‎07-08-2015 07:35 PM

I have something like this in the stats view in splunk. 

field   NE1 NE1-L   NE2 NE2-1   field-alt
KPI1    30251   125000  22761   126000  KPI1-alt
KPI2    8809    38000   5875    38000   KPI2-alt
KPI3    212130  300000  229172  300000  KPI3-alt
KPI4    107965  160000  111798  160000  KPI4-alt
KPI5    83045   100000  42984   60000   KPI5-alt
KPI6    83229   100000  43081   60000   KPI6-alt

the query is rather long and contrived and looks something like: 

index=core host=... | 
stats  ... | untable userLabel field value | xyseries field userLabel value | 
appendcols [
search index=core ... | 
stats max| 
untable subname field value | 
xyseries field subname value | 
rename field as field1 | 
]

What I want to do is add further columns to the right that are basically doing a arithmetic operation on the values in the row/columns to the left, giving something like:

field   NE1 NE1-L   NE2 NE2-1   field-alt   field2      filed3
KPI1    30251   125000  22761   126000  KPI1-alt    NE1/NE1-L   NE2/NE2-L
KPI2    8809    38000   5875    38000   KPI2-alt    NE1/NE1-L   NE2/NE2-L
KPI3    212130  300000  229172  300000  KPI3-alt    NE1/NE1-L   NE2/NE2-L
KPI4    107965  160000  111798  160000  KPI4-alt    NE1/NE1-L   NE2/NE2-L
KPI5    83045   100000  42984   60000   KPI5-alt    NE1/NE1-L   NE2/NE2-L
KPI6    83229   100000  43081   60000   KPI6-alt    NE1/NE1-L   NE2/NE2-L

How Can I achieve this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 07:44 PM

You can add this to the end of your search:

... | eval field2 = NE1/'NE1-L' | eval field3 = NE2/'NE2-L'

Note, you have to single-quote fields that contain a minus sign to avoid Splunk trying to subtract L from NE1... try not using fields that contain operators in their name to ease further computing.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 07:44 PM

You can add this to the end of your search:

... | eval field2 = NE1/'NE1-L' | eval field3 = NE2/'NE2-L'

Note, you have to single-quote fields that contain a minus sign to avoid Splunk trying to subtract L from NE1... try not using fields that contain operators in their name to ease further computing.

Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎07-08-2015 08:11 PM

tks too easy 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...