https://community.splunk.com/t5/Knowledge-Management/Perform-calculations-on-a-count-of-EventTypes/m-p/18182#M134 <P>I would firstly try simplifying the names you are using the <CODE>timechart</CODE> command, and use something simple like:</P> <PRE><CODE>OC-Main-player-loaded --&gt; loaded </CODE></PRE> <P>Then pipe to your <CODE>eval</CODE> command and use the simplified field labels in your calculation. I have had issues in the past with processing certain field names.</P> <P>I would then pipe to <CODE>rename</CODE> to change the simplified field labels to something more legible.</P> <P>Hope this helps.</P> Mon, 04 Feb 2013 13:01:30 GMT MHibbin 2013-02-04T13:01:30Z https://community.splunk.com/t5/Knowledge-Management/Perform-calculations-on-a-count-of-EventTypes/m-p/18181#M133 <P>I have having trouble performing basic calculations using Eval. I can do '2*2' but I cannot do this with a count of eventtype.</P> <P>I have a search running, to total EventTypes that I created.</P> <P>sourcetype=csv | timechart span="1d" , count(eval(eventtype="OC-Main Player_Loaded")) AS OC-Main-player-loaded, count(eval(eventtype="OC-Main User_Interacted")) AS OC-Main-User_Interacted</P> <P>This creates a table, showing the time, and then a count of the EventTypes (in this case "OC-Main PlayerLoaded" and "OC-Main UserInteracted").</P> <P><IMG src="https://dl.dropbox.com/u/6588335/sa/splunk/data-example.jpg" alt="alt text" /></P> <P>I want to create a 4th column, that would give me a calculation, based on these counts. What I want is a %, but at the moment I can't get anything to work.</P> <P>If I add a simple Eval at the end, the result shows. eg... <STRONG>| eval ocper=(2*2)</STRONG> shows as 4<BR /> However, if I try and use the AS event names (eg: OC-Main-player-loaded) nothing shows.</P> <P>My guess is, OC-Main-player-loaded is just the name of the table column, and splunk has no concept of what I am trying to multiply. I assume I need to specify that the count should be some sort of field that can be multiplied. How do I do this?</P> <P>thanks in advanced.</P> Mon, 28 Sep 2020 13:13:36 GMT https://community.splunk.com/t5/Knowledge-Management/Perform-calculations-on-a-count-of-EventTypes/m-p/18181#M133 sportauthority 2020-09-28T13:13:36Z https://community.splunk.com/t5/Knowledge-Management/Perform-calculations-on-a-count-of-EventTypes/m-p/18182#M134 <P>I would firstly try simplifying the names you are using the <CODE>timechart</CODE> command, and use something simple like:</P> <PRE><CODE>OC-Main-player-loaded --&gt; loaded </CODE></PRE> <P>Then pipe to your <CODE>eval</CODE> command and use the simplified field labels in your calculation. I have had issues in the past with processing certain field names.</P> <P>I would then pipe to <CODE>rename</CODE> to change the simplified field labels to something more legible.</P> <P>Hope this helps.</P> Mon, 04 Feb 2013 13:01:30 GMT https://community.splunk.com/t5/Knowledge-Management/Perform-calculations-on-a-count-of-EventTypes/m-p/18182#M134 MHibbin 2013-02-04T13:01:30Z https://community.splunk.com/t5/Knowledge-Management/Perform-calculations-on-a-count-of-EventTypes/m-p/18183#M135 <P>Ok, that works. thank you very much. It's probably something I should have tried about 4 hours ago. Instead I have been reading docs, trying examples, looking in the wiki. You live and learn! cheers!</P> Mon, 04 Feb 2013 13:18:20 GMT https://community.splunk.com/t5/Knowledge-Management/Perform-calculations-on-a-count-of-EventTypes/m-p/18183#M135 sportauthority 2013-02-04T13:18:20Z https://community.splunk.com/t5/Knowledge-Management/Perform-calculations-on-a-count-of-EventTypes/m-p/18184#M136 <P>No problem, to close this question off, can you mark the answer as accepted with the empty tick beside the answer.</P> <P>Thanks.</P> Mon, 04 Feb 2013 13:36:31 GMT https://community.splunk.com/t5/Knowledge-Management/Perform-calculations-on-a-count-of-EventTypes/m-p/18184#M136 MHibbin 2013-02-04T13:36:31Z