Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to add calculation result of timechart

Richard_400
Engager
‎05-16-2024 05:59 AM

Hello,

I'm trying to new chart as calculate through packet count.

I search with query for interface for several device.

I could show as follow.

_timeinterface-AInterface-Binterface-C 
9:00100200100
9:10150250100
9:20200300100

I would like add Interface A+B-C for column as follow

_timeinterface-AInterface-Binterface-C Interface A+B-C
9:00100200100200
9:10150250100300
9:20200300100400

How can I make it?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-16-2024 06:04 AM

Hi @Richard_400 ,

run something like the following

<your_search>
| bin span=10m _time
| chart count OVER interface BY _time
| eval 'Interface A+B-C'='interface-A'+'Interface-B'-'interface-C'

in general, don't use the minus in the fied names because Splunk knows it as minus, so you need to use quotes for the field names, use underscore (_).

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-16-2024 06:04 AM

Hi @Richard_400 ,

run something like the following

<your_search>
| bin span=10m _time
| chart count OVER interface BY _time
| eval 'Interface A+B-C'='interface-A'+'Interface-B'-'interface-C'

in general, don't use the minus in the fied names because Splunk knows it as minus, so you need to use quotes for the field names, use underscore (_).

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Richard_400
Engager
‎05-16-2024 10:18 PM

Hi @gcusello ,

Thank you for your feedback.

I got expecting work.

BR

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...