topic Re: How to get eval values from two fields in Splunk Search

How to get eval values from two fields

rashi83 — Fri, 14 Jun 2019 19:49:38 GMT

My current search is this:

index="x | timechart count(eval(statusCategory="B"))

I want to add one more statusCategory="C" and tried making like -

index="x | timechart count(eval(statusCategory="B" OR statusCategory="C" ))  but it do not work

Re: How to get eval values from two fields

rbechtold — Fri, 14 Jun 2019 19:53:31 GMT

Hi Rashi83,

Does this work?

| index=x 
| search statusCategory="B" OR statusCategory="C" 
| timechart count by statusCategory

Alternatively, if you need to define the "statusCategory" before the timechart, you can use:

| index=x
| eval statusCategory=if(statusCategory="B_string", "B", if(statusCategory="C_string", "C", null))
| where isnotnull(statusCategory)
| timechart count by statusCategory

Re: How to get eval values from two fields

rashi83 — Fri, 14 Jun 2019 20:19:25 GMT

Thanks, but I need to show the sum up value of statusCategory =A and statusCategory=B while doing visualization as single value.

This yields correct value but not the sumup value.

Re: How to get eval values from two fields

rbechtold — Fri, 14 Jun 2019 20:27:13 GMT

Ahh, I see!

If I am understanding correctly, would using

...|timechart count(statusCategory)

instead of

...|timechart count by statusCategory

in one of my previous examples do the trick?

Re: How to get eval values from two fields

rashi83 — Mon, 17 Jun 2019 15:27:30 GMT

Thank you so much...I was working more on this query and was trying to get percentage of "Pass" . Pass % will include - statusCategory="Pass" and statusCategory="NearPass"

But it fails to recognize count of statusCategory=Fail
How can this be modified?

Re: How to get eval values from two fields

Vijeta — Mon, 17 Jun 2019 15:44:03 GMT

@rashi83 to get total of fail, pass , nearpass use below

index=x | stats count(eval(statusCategory="Pass")) as "Pass", count(eval(statusCategory="NearPass")) as NearPass ,count(eval(statusCategory=="Fail")) as "Fail" by region | eval Pass=Pass + NearPass

Re: How to get eval values from two fields

rashi83 — Mon, 17 Jun 2019 16:04:07 GMT

Doesn't work VIjeta

Re: How to get eval values from two fields

Vijeta — Mon, 17 Jun 2019 17:54:53 GMT

What results do you get?

Re: How to get eval values from two fields

rbechtold — Mon, 17 Jun 2019 19:27:45 GMT

Hello again rashi! No problem at all, it is my intention to help out however I can.

The reason it fails to recognize count of statusCategory="Fail" is because the search pipe and the stats pipe removes all instances of fail statuses from the data. Let's try to fix that!

I'm operating under the assumption that we're working with these two fields for this search:
1. statusCategory
2. region

Is this correct? The reason I'm asking is because I see a "Compliant" field and a "NonCompliant" field in the foreach command, and I'm not sure how they come into play.

That said, if we are just looking for a "Pass %" by region, the query below should work:

|index = x
| eval PassCheck = if(statusCategory="Pass", 1, if(statusCategory="NearPass", 1, 0))
| eval FailCheck = if(PassCheck=0, 1, 0)
| stats sum(FailCheck) AS Fail sum(PassCheck) AS Pass  by region
| eval total_by_area = Fail + Pass
| eval area_percent = round((Pass / total_by_area),2) *100
| table region area_percent
| sort - area_percent
| rename area_percent AS "Pass %", region AS Region

Let me know if anything goes wrong, or if anything doesn't make sense!