Splunk Search

how to add calculated fields into a chart

chongdong
Explorer

I am trying to add 2 new fields into a chart, which is calculated by the exisiting columns in the following chart. Basically I want to add A3=A2/A1, and B3=B2/B1: 

chongdong_0-1642649972961.png

 

Can anyone suggest which command to use? 

Labels (1)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Try this - replace your last chart statement with these two lines - the chart just is renaming the fields and the foreach is doing the calc, i.e. Ratio=TintCount/Zones

| chart sum(tint_count) as TintCount dc(zonename) as Zones by direction type
| foreach TintCount* [ eval "Ratio<<MATCHSTR>>"='<<FIELD>>'/'Zones<<MATCHSTR>>' ]

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Can you provide the query you are using? What happens when you tried what you tried?

0 Karma

chongdong
Explorer

Just found I can directly add sum(___) and dc(___) inside chart command which solved my previous problem lol! Thanks for looking into it though. Now I have a follow up quesion about my post-analysis for adding calculated fileds into the same chart... 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Try this - replace your last chart statement with these two lines - the chart just is renaming the fields and the foreach is doing the calc, i.e. Ratio=TintCount/Zones

| chart sum(tint_count) as TintCount dc(zonename) as Zones by direction type
| foreach TintCount* [ eval "Ratio<<MATCHSTR>>"='<<FIELD>>'/'Zones<<MATCHSTR>>' ]

 

0 Karma

chongdong
Explorer

Thanks for the suggestion! But it doesn't seem to work

chongdong_0-1642660489110.png

Is the foreach command supposed to insert a new column called Ratio in this case? 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Oops thanks @ITWhisperer pointing out the typo

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

dc(zonename) should be dc(zoneName)

Get Updates on the Splunk Community!

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...