https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412144#M118866 <P>This works for me (using <CODE>prestats</CODE> is a deep, dark magic):</P> <PRE><CODE>| tstats summariesonly=t allow_old_summaries=f count FROM datamodel=Network_Traffic.All_Traffic WHERE (All_Traffic.action!="unknown") BY sourcetype All_Traffic.action _time span=1h | rename All_Traffic.* AS * | stats count As total_connections count(eval(action=="allowed")) AS allowed count(eval(action=="blocked" OR action=="dropped")) AS blocked BY _time, sourcetype | eval pct_blocked = 100 * blocked / total_connections </CODE></PRE> Sat, 27 Jul 2019 17:24:21 GMT woodcock 2019-07-27T17:24:21Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412141#M118863 <P>I'm trying to use eval within stats to work with data from tstats, but it doesn't seem to work the way I expected it to work. I'm hoping there's something that I can do to make this work.</P> <P>Here's a simplified version of what I'm trying to do:</P> <PRE><CODE>| tstats summariesonly=t allow_old_summaries=f prestats=t count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action!="unknown") by _time,sourcetype,All_Traffic.action span=1h | `drop_dm_object_name("All_Traffic")` | stats count as total_connections count(eval(action="allowed")) as allowed count(eval(action="blocked" OR action="dropped")) as blocked by _time, sourcetype </CODE></PRE> <P>When I run that, I see valid numbers for total_connections, but the "allowed" and "blocked" values are all just "0"</P> <P>The following works for me:</P> <PRE><CODE>| tstats summariesonly=t allow_old_summaries=f prestats=f count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action!="unknown") by _time,sourcetype,All_Traffic.action span=1h | `drop_dm_object_name("All_Traffic")` </CODE></PRE> <P>However, that doesn't present the data in the way I want it. I'd like to add things like percentage blocked per sourcetype, etc., with additional eval statements.</P> <P>Any suggestions for how to get the stats command to work with those nested eval statements? Is that unsupported? (I've read that nested eval within tstats isn't supported, but that it is supported within stats)</P> <P>Thanks!</P> Tue, 23 Jul 2019 19:38:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412141#M118863 kcheek_umich 2019-07-23T19:38:26Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412142#M118864 <P>Hi</P> <P>Try without the prestats option (it works as desired for me):</P> <PRE><CODE>| tstats summariesonly=t allow_old_summaries=f count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action!="unknown") by _time,sourcetype,All_Traffic.action span=1h | `drop_dm_object_name("All_Traffic")` | stats count as total_connections count(eval(action="allowed")) as allowed count(eval(action="blocked" OR action="dropped")) as blocked by _time, sourcetype </CODE></PRE> <P><IMG src="https://imgur.com/PcGQlQ8" alt="alt text" /></P> <P>Hope it helps</P> Tue, 23 Jul 2019 23:43:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412142#M118864 jaime_ramirez 2019-07-23T23:43:08Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412143#M118865 <P>While that does produce numbers in more of the fields, they aren't correct numbers when I try that. Instead of counting the number of network traffic events, stats just counts the number of distinct values of "action" per sourcetype that match each eval statement. (so, in my case, the calculated values from the stats command are all 0, 1, 2, or 3)</P> Wed, 24 Jul 2019 19:05:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412143#M118865 kcheek_umich 2019-07-24T19:05:44Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412144#M118866 <P>This works for me (using <CODE>prestats</CODE> is a deep, dark magic):</P> <PRE><CODE>| tstats summariesonly=t allow_old_summaries=f count FROM datamodel=Network_Traffic.All_Traffic WHERE (All_Traffic.action!="unknown") BY sourcetype All_Traffic.action _time span=1h | rename All_Traffic.* AS * | stats count As total_connections count(eval(action=="allowed")) AS allowed count(eval(action=="blocked" OR action=="dropped")) AS blocked BY _time, sourcetype | eval pct_blocked = 100 * blocked / total_connections </CODE></PRE> Sat, 27 Jul 2019 17:24:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412144#M118866 woodcock 2019-07-27T17:24:21Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412145#M118867 <P>For me, this has the same result as the suggestion from jaime.ramirez - I don't get counts of network events. Instead, I get what appears to be the count of unique values for "action" for each "stats eval" for each sourcetype (0, 1, 2, or 3).</P> Mon, 29 Jul 2019 14:23:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412145#M118867 kcheek_umich 2019-07-29T14:23:53Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412146#M118868 <P>You do see the <CODE>total_connections</CODE> field, right?</P> Mon, 29 Jul 2019 18:05:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412146#M118868 woodcock 2019-07-29T18:05:32Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412147#M118869 <P>Yep - and it only has the values 0, 1, 2, or 3 - it doesn't actually contain the total number of connections unless I use prestats=t</P> Mon, 29 Jul 2019 18:12:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412147#M118869 kcheek_umich 2019-07-29T18:12:36Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412148#M118870 <P>OK, I finally get it. Try this:</P> <PRE><CODE>| tstats summariesonly=t allow_old_summaries=f count FROM datamodel=Network_Traffic.All_Traffic WHERE index=* BY sourcetype All_Traffic.action _time span=1h | rename All_Traffic.* AS * | stats count As total_connections count(eval(action=="allowed")) AS allowed count(eval(action=="blocked" OR action=="dropped")) AS blocked BY _time, sourcetype | eval pct_blocked = 100 * blocked / total_connections </CODE></PRE> Mon, 29 Jul 2019 18:54:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/412148#M118870 woodcock 2019-07-29T18:54:20Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/616223#M214174 <P>The trick is to use "case" eval function:</P><P>&nbsp;</P><LI-CODE lang="markup">count(eval(action="allowed")) as allowed count(eval(action="blocked" OR action="dropped")) as blocked values(eval(case(action="allowed", count))) as allowed values(eval(case(action="blocked" OR action="dropped", count))) as blocked</LI-CODE><P>&nbsp;</P> Thu, 06 Oct 2022 20:17:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-within-stats-for-data-from-tstats/m-p/616223#M214174 stoomart 2022-10-06T20:17:57Z