Solved: Question about constant and eval and stats

asarolkar · ‎01-03-2013

I have a search like this

sourcetype="syslog" | ... | stats c(eval(range="alpha")) AS ALPHA_COUNT c(eval(range="beta")) AS BETA_COUNT

This displays the count of alpha and beta in the form of a timechart just fine.

I need to lookup a field from a lookup table like this

| lookup gamma_count

This field is a constant

Then I need to display the three stacked in the form of a bar chart, so it looks like this

[alpha_ count] | [beta_ count] | [gamma_count]

Any ideas ?

Any help would be appreciated

lguinn2 · ‎01-03-2013

Try this:

sourcetype="syslog" | ... 
| stats count by range
| append [ inputlookup gamma_count | eval count=gamma_count | eval range="gamma' | fields range count]

I am not quite sure how to get the graph, but this should come close. You may have to play around with the charting options.

View solution in original post

lguinn2 · ‎01-03-2013

Try this:

sourcetype="syslog" | ... 
| stats count by range
| append [ inputlookup gamma_count | eval count=gamma_count | eval range="gamma' | fields range count]

I am not quite sure how to get the graph, but this should come close. You may have to play around with the charting options.

lguinn2 · ‎01-03-2013

sourcetype="syslog" | ... | timechart count by range | eval gamma=alpha-beta

should do it. Though you probably want to set the span option on the timechart command.

asarolkar · ‎01-03-2013

Thanks much !

Just wondering, what do I do if gamma count is the difference between alpha_count and beta_count (NOT read from a lookup file)

How would i plot that ?

Best regards

Question about constant and eval and stats

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!