topic Re: Why does my division of two fields return nothing? in Splunk Search

Why does my division of two fields return nothing?

sjcoluccio67 — Tue, 29 Sep 2020 19:19:10 GMT

I have the following query that is inteded to divide the "stats.hypervisor_cpu_ppm" field by 10000 and then show that value in a table.

   index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* | eval usage=stats.hypervisor_cpu_usage_ppm / 10000 | table host, stats.hypervisor_cpu_usage_ppm, usage | dedup host

When I run the query, It gives me a table with the host, the values for stats.hypervisor_spu_ppm, and then an empty column for usage. Why is the usage column empty?

Re: Why does my division of two fields return nothing?

elliotproebstel — Mon, 30 Apr 2018 18:12:49 GMT

I believe you need to replace this:

| eval usage=stats.hypervisor_cpu_usage_ppm / 10000

with this:

| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000

Splunk has some quirks about when field names must be wrapped with quotes in order to reference them, and field names with non-alphanumeric characters often trigger those.

Re: Why does my division of two fields return nothing?

sjcoluccio67 — Mon, 30 Apr 2018 18:16:01 GMT

I have tried this, but I get the same empty column. I tried double quotes as well, but that returned an error becuase Splunk read it as a string being divided by a number.

Re: Why does my division of two fields return nothing?

woodcock — Mon, 30 Apr 2018 18:23:33 GMT

Try this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage=$stats.hypervisor_cpu_usage_ppm$ / 10000
| table host, $stats.hypervisor_cpu_usage_ppm$, usage

Or this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000
| table host, 'stats.hypervisor_cpu_usage_ppm', usage

Re: Why does my division of two fields return nothing?

somesoni2 — Mon, 30 Apr 2018 18:31:33 GMT

Can you post some sample entries that you see for field stats.hypervisor_cpu_usage_ppm, before division?

Re: Why does my division of two fields return nothing?

sjcoluccio67 — Tue, 29 Sep 2020 19:19:13 GMT

Here is an example of entries for that field:

stats.hypervisor_cpu_usage_ppm

286690
286690

745400
745400

Re: Why does my division of two fields return nothing?

sjcoluccio67 — Mon, 30 Apr 2018 18:44:50 GMT

Niether of these worked. In fact, they both resulted in the stats.hypervisor_cpu_usage_ppm column being empty as well as the usage column

Re: Why does my division of two fields return nothing?

elliotproebstel — Mon, 30 Apr 2018 18:47:15 GMT

Is that the value of a single field? Is it a multivalue field?

Re: Why does my division of two fields return nothing?

ssadanala1 — Tue, 29 Sep 2020 19:23:11 GMT

Can you try the below

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage=tonumber(stats.hypervisor_cpu_usage_ppm) / 10000
| table host, 'stats.hypervisor_cpu_usage_ppm', usage

Thanks

Re: Why does my division of two fields return nothing?

sjcoluccio67 — Tue, 29 Sep 2020 19:19:16 GMT

No luck, the usage column is still empty. also putting the quotes around stats.hypervisor_cpu_usage_ppm like this : | table host, 'stats.hypervisor_cpu_usage_ppm causes that column to be empty as well.

Re: Why does my division of two fields return nothing?

ssadanala1 — Tue, 29 Sep 2020 19:23:14 GMT

Please try this and can let us know whether stats.hypervisor_cpu_usage_ppm has field values populated

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* |dedup host |table stats.hypervisor_cpu_usage_ppm |eval number = 1000 |eval divide = stats.hypervisor_cpu_usage_ppm/number

Re: Why does my division of two fields return nothing?

somesoni2 — Mon, 30 Apr 2018 19:03:26 GMT

Shot in the dark, try this

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* | eval usage=replace('stats.hypervisor_cpu_usage_ppm',"\s+","")/10000 | table host, stats.hypervisor_cpu_usage_ppm, usage | dedup host

Re: Why does my division of two fields return nothing?

sjcoluccio67 — Tue, 29 Sep 2020 19:19:24 GMT

This only returns two columns. The "stats.hypervisor_cpu_usage_ppm" column has its values and then htere is a "divide" column that just has the value 10000. I used you suggestion and tried the following, but it left me with the same problem that I have been having - the "usage" column is empty.

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* |dedup host |eval number = 1000 |eval usage = stats.hypervisor_cpu_usage_ppm/number | table host, stats.hypervisor_cpu_usage_ppm, usage

Re: Why does my division of two fields return nothing?

macadminrohit — Tue, 29 Sep 2020 19:19:36 GMT

Try this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host | rename stats.hypervisor_cpu_usage_ppm as USAGEPPM
| eval usage=USAGEPPM/ 10000
| table host,USAGEPPM, usage

basically i have renamed the field stats.hypervisor_cpu_usage_ppm as USAGEPPM

Re: Why does my division of two fields return nothing?

sjcoluccio67 — Wed, 02 May 2018 15:49:43 GMT

This does not work either... I don't know why this is happening, it doesn't make much sense.

Re: Why does my division of two fields return nothing?

rnayshulis — Tue, 29 Sep 2020 19:54:34 GMT

I am running into a similar issue and have discovered that splunk is extracting the field that I'm dividing incorrectly. I have a field that's something like size=123 in my events, but splunk for some reason grabs user agent string from the events and assigns that to size. So make sure your stats.hypervisor_cpu_usage_ppm field has actual numerical values that you expect. I'm still working on fixing my problem, will update here if fixing field extraction fixed the division problem.

Re: Why does my division of two fields return nothing?

aropaltioali — Thu, 07 May 2020 11:47:07 GMT

Hey!

I bumped into this thread and noticed this was not solved.
If you noticed the fields are presented as string (a not,#) and the tonumber fails due to multiple values in the string.

Here's the how I found out the solution:

/opt/splunk/etc/system/local/props.conf

[nutanix_arch]
KV_MODE = none
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS = JSON

https://answers.splunk.com/answers/610585/json-format-duplicate-value-in-field.html

Now the field is an interger and you can eval it with the following command:
|eval usage='stats.hypervisor_cpu_usage_ppm' / 10000

Hope this helps! 🙂