Need help with eval

Dsrao12345 — Tue, 06 Aug 2019 11:16:05 GMT

my search query :

index=index1"PrepareResponseTime= " 
| rex "PreResponseTime= (?[0-9]*) ms"  
| where PrepareResponseTime > 1000 
| eval PrepareResponseTime= "count >1000"  
| stats count by index,PrepareOrderResponseTime 
| append [search index=index2 "PrepareResponseTime= " 
| rex "PrepareResponseTime= (?[0-9]*) ms"  
| where PrepareResponseTime < 1000 | eval PrepareResponseTime= "count <1000"

statistics results:

indexname PrepareResponseTime count
========= =================== =====
index1 count >1000 1486
index2 count <1000 6639

I would like to using eval calculate percentage like below:

(1486 * 100) / (1486 + 6639) = %

148600/8125 = 18.289 (round)

After using calculations results to be like :

round 18.29%

Re: Need help with eval

renjith_nair — Tue, 06 Aug 2019 12:50:46 GMT

@Dsrao12345,

Add this to your search

| eventstats sum(count) as total
| eval perc=round((count/total)*100,2)

And your original search probably could be modified as

 (index=index1  OR  index=index2) "PrepareResponseTime= "  
 |rex "PreResponseTime= (?[0-9]) ms"
 |eval ResponseTime=if(PrepareResponseTime <1000,"count <1000","count >1000" )
 |stats count by index,ResponseTime

topic Re: Need help with eval in Splunk Search

Need help with eval

Re: Need help with eval