Splunk Search

how to combine 2 fields into 1 for visualizing in graph

HattrickNZ
Motivator

Can I combine 2 fields into the 1 using this method:

Combining the 2 fields c84163237 and c84163338 into the 1 field seizureTraffic:

...| timechart  span=1h sum(c84163237) as seizureTraffic,  sum(c84163338) as seizureTraffic by LABEL

Or do I have to do an eval command:

eval field1=c84163237+c84163338

I can't seem to get either working, can anyone advise?

0 Karma
1 Solution

chimell
Motivator

HattrickNZ

Look at my example search
sourcetype=access_*|eval sr=bytes+other| timechart span=1h sum(bytes) as sb , sum(other) as so , sum(sr) as s by LABEL

and the result

alt text

View solution in original post

0 Karma

HattrickNZ
Motivator

it has something to do with my search before I do the timechart
I have ...measInfoId=83888114 OR measInfoId=83888115 | timechart... but the thing is to view this field c84163237 I need to select 83888114 and to view this field c84163338 I need to select 83888115.

But I still would have though the method work on this.

So it seems the counter needs to be from the same measInfoId for it to work

E.G. this will work as c84163237 + c84163241 both fall under measInfoId=83888114
... measInfoId=83888114 OR measInfoId=83888115 duration=* LABEL=RNC01SJH | eval test1=c84163237 + c84163241 | timechart span=h sum(c84163237) sum(c84163338) sum(eval(c84163237 + c84163241)) as Sum_Traffic3 sum(test1)
More explanation:
eval test1=c84163237 + c84163241 - this works
sum(eval(c84163237 + c84163241)) as Sum_Traffic3 - this works

0 Karma

masonmorales
Influencer

Can you post some sample data and perhaps a mock-up of your desired result?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...