topic Help on eval in a stats command in Splunk Enterprise

Help on eval in a stats command

jip31 — Mon, 27 Jun 2022 14:55:08 GMT

hello

I triy to add a condition in my eval command

| stats sum(eval(retrans_bytes)) as retrans by site

So I need to do something like this but it doesnt works

| stats sum(eval(retrans_bytes) AND (process="view.exe" OR netproc_process="remotemks.exe")) as retrans by site

could you help please?

Re: help on eval in a stats command

marysan — Sat, 25 Jun 2022 04:55:09 GMT

this must work for you :
|your code ...
|search process="view.exe" OR netproc_process="remotemks.exe"
| stats sum(retrans_bytes) as retrans by site

Re: help on eval in a stats command

jip31 — Sat, 25 Jun 2022 06:23:08 GMT

I know but it's not my needs because I must use 2 different condition in my stats command from the same field

something like this

| stats sum(eval(retrans_bytes) AND (process="view.exe" OR netproc_process="remotemks.exe")) as retrans, sum(eval(retrans_bytes) AND (process=*)) as retrans2 by site

Re: help on eval in a stats command

marysan — Sat, 25 Jun 2022 06:38:23 GMT

dear friend your query doesn't show different conditions :
one hand: (process="view.exe" OR netproc_process="remotemks.exe") and the other hand (process=*) !!
first condition is a subset of second condition

but I suppose that this must work for your target:
| eval flag=if(process="view.exe" OR netproc_process="remotemks.exe",1,0)
| stats sum(returnts_bytes) as returns_bytes by site,flag

Re: help on eval in a stats command

jip31 — Sat, 25 Jun 2022 07:10:40 GMT

Pearhaps i explain badly

But what I need is to stats sum separatively process="view.exe" OR netproc_process="remotemks.exe") and netproc-process=* because I need to calculate à ratio between these 2 fields

So first condition is not a subset of second condition!

So i need to build 2 différents stats sum(eval....) with these 2 différents conditions....

Re: help on eval in a stats command

PickleRick — Sat, 25 Jun 2022 09:13:35 GMT

The eval stats operation is somewhat incompletely and confusingly described in docs (I have to submit a feedback if I remember it when I get home).

A simple (or complex) condition is silently cast to 0/1 as true/false. That means that for a count() aggregation it works pretty well. But for other functions you have to manually specify a value which will be aggregated.

You might think of

stats agg(eval(expression))

eval var=expression | stats agg(var)

So what you need is (if I understand the logic of your condition)

stats sum(if(process="view.exe" OR netproc_process="remotemks.exe",retrans_bytes,null())) as [...]

In your particular case you can use 0 instead of null() because it doesn't skew the results but for other aggregations null() is better because splunk doesn't aggregate null fields so they are filtered out.

Re: help on eval in a stats command

jip31 — Sat, 25 Jun 2022 09:29:08 GMT

So considering my need, is it ok to do this :

stats sum(if(process="view.exe" OR netproc_process="remotemks.exe",retrans_bytes,null())) as retrans1, sum(if(process=*, retrans_bytes,null())) as retrans2

Re: help on eval in a stats command

PickleRick — Sat, 25 Jun 2022 09:35:49 GMT

Close but not quite. I didn't count the parentheses 😉

But more importantly, the comparison in if is not a search operator but a simple equality comparison. So you can't do

if(index=*,...)

If I remember correctly, there is another function for that - check match() or searchmatch()

Re: help on eval in a stats command

jip31 — Sat, 25 Jun 2022 17:02:35 GMT

sorry but i am unable to apply it and not sure that my need is well understanded

`index` (sourcetype="netproc" netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe") | fields netproc_tcp_retrans_bytes site | stats sum(netproc_tcp_retrans_bytes) as retrans by site

Actually I sum the field "netproc_tcp_retrans_bytes" like this

what I need is to use the netproc_process field not in the sourcetype but only in the stats command

so I need something like this but I dont succeed to write this

`index` (sourcetype="netproc_tcp" netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe") | fields netproc_tcp_retrans_bytes site | stats sum(eval(netproc_tcp_retrans_bytes AND netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe")) as retrans by site

So is anybody can help me please?

Re: help on eval in a stats command

PickleRick — Sun, 26 Jun 2022 05:45:11 GMT

You're most probably not understood correctly. You keep repeating "I'm trying to do 'this' but 'this' is written wrongly".

How are we supposed to know what you're trying to achieve then?

Try to rephrase it and tell us what is the problem you're trying to solve without using SPL.

Alternatively, use the other approach I showed you before - don't do stats(eval) because it does get confusing at times, but try to eval an additional field(s) first and then aggregate simply on this field (or fields).