Im running this query:
host="forward*" count
| eval platform_800_count = ASICM_count_DN_800 + DF2_count_DN_800 + DF2_count_TT_800
| timechart max(coin_ENEC_count_DN_800), max(ASICM_count_DN_800), max(DF2_count_DN_800), max(DF2_count_TT_800), max(platform_800_count)
I expect eval to sum the fields into platform_800_count and as a last step to timechart this field but it does not present a value on the chart for platform_800_count.
Other fields are presented.
As Martin points out below I cannot eval seperate events, is there another method to do this?
You could do the eval after the timechart, provided there is a value for each field for each bucket.
In order for that sum to work you first need to rename the result of your timechart. Switch to the table view instead of the graph to better understand this. The columns listed there is what eval can use as input. Once you correctly eval yourself a new field it automagically becomes a column there, and will automagically appear in the timechart.
Like so?:
host="forward*" count
| timechart max(coin_ENEC_count_DN_800), max(ASICM_count_DN_800), max(DF2_count_DN_800), max(DF2_count_TT_800)
|eval platform_800_count = ASICM_count_DN_800 + DF2_count_DN_800 + DF2_count_TT_800
How would I go about presenting the new field in the timechart?
oops, ok did not know that
I see, those three are in separate events? Eval works on a per-event basis.
data is like this:
2013-03-14 14:10:14 DF2_count_DN_800=669
2013-03-14 14:10:14 ASICM_count_DN_800=723
2013-03-14 14:10:14 DF2_count_TT_800=1155
Odd - got some sample data?
Yes, all numbers and they all show up on the timechart.
If I only eval one field like "eval platform_800_count = ASICM_count_DN_800|" it does not show either.
Then your eval didn't work as you expected, so timechart has no chance to do anything.
What values do you have in those three fields you add together? All numbers?
this query as above gives "no results found"
After eval, before timechart. Try this:
host="forward*" count | eval platform_800_count = ASICM_count_DN_800 + DF2_count_DN_800 + DF2_count_TT_800 | stats values(platform_800_count)
no it's a new field i create with eval
Does platform_800_count have values before you apply the timechart?