topic Re: help on eval field which returns any results in Splunk Search

help on eval field which returns any results

jip31 — Tue, 01 Sep 2020 16:43:16 GMT

I have an issue with the field MemoryUsage
I have no results in | eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) due to the field FreeMemory which returns any results
Its strange because the "Value" fields is an positive and integer number and I collect well this field
So what is the issue please

| fields host Value TotalPhysicalMemory 
| eval FreeMemory = round(Value, 0)
| eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 0) 
| eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) 
| stats last(FreeMemory) as "Free Memory", last(TotalMemory) as "Total Memory", values(MemoryUsage) as "Memory Usage" by host 
| eval Free Memory='Free Memory'." MB", Total Memory='Total Memory'." MB", Memory Usage='Memory Usage'." %"

Re: help on eval field which returns any results

FreekMulders — Wed, 19 Feb 2020 12:33:02 GMT

If the field MemoryUsage is empty, it is probably because the TotalMemory is 0 (due to rounding) and you cannot divide by 0.

Re: help on eval field which returns any results

nickhills — Wed, 19 Feb 2020 14:10:19 GMT

Can you provide an example of what value contains?

Re: help on eval field which returns any results

jip31 — Wed, 19 Feb 2020 14:30:09 GMT

I have attached an example of value field

Re: help on eval field which returns any results

nickhills — Wed, 19 Feb 2020 14:41:55 GMT

Silly question - does your physical memory (or the value reported) always exceed the free memory?
This strikes me that it can only be a maths problem.

Your formula is converting TotalPhysicalMemory from bytes -> kilobytes -> megabytes, but there is no conversion for FreeMemory, is that always represented in megabytes?

Can you run:
<your base search>|table Value TotalPhysicalMemory FreeMemory TotalMemory MemoryUsage
So we can see the numbers that are being fed into the calculation.

Re: help on eval field which returns any results

jip31 — Wed, 19 Feb 2020 15:34:46 GMT

normally PhysicalMemory (memory installed) always exceed free memory
yes by defaumt free memory is in megabytes
I have executed the search I have results except in MemoryUsage
if I replace FreeMemory by an integer in | eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) it works
so the problem is arround FreeMemory

Re: help on eval field which returns any results

nickhills — Wed, 19 Feb 2020 15:38:03 GMT

Can you just post the output of this:
<your base search>|table Value TotalPhysicalMemory FreeMemory TotalMemory MemoryUsage

There is something wrong with your data, and the results of that output will help highlight what the problem is.

Re: help on eval field which returns any results

nickhills — Wed, 19 Feb 2020 15:46:29 GMT

or value is empty in the event.

Re: help on eval field which returns any results

jip31 — Wed, 19 Feb 2020 16:02:49 GMT

I have attached the output

Re: help on eval field which returns any results

jip31 — Thu, 20 Feb 2020 05:56:18 GMT

no, TotalMemory is never equal to 0........

Re: help on eval field which returns any results

nickhills — Thu, 20 Feb 2020 07:02:41 GMT

Thanks for the output, but that does not help.
Please can you post the output of this:

| fields host Value TotalPhysicalMemory 
| eval FreeMemory = round(Value, 0)
| eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 0) 
| eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) 
|table Value TotalPhysicalMemory FreeMemory TotalMemory MemoryUsage

My expectation is that there will be some rows with values missing/invalid

Re: help on eval field which returns any results

jip31 — Thu, 20 Feb 2020 07:58:56 GMT

hum...
its the same output like yesterday no??
To my mind, i think that Value or TotalPhysicalMemory is not interpreted as a number
What do you think about this? I tried with a tonumber function but always ko!

Re: help on eval field which returns any results

nickhills — Thu, 20 Feb 2020 08:01:15 GMT

no, its different - we dont want the stats commands in the output.

Re: help on eval field which returns any results

jip31 — Thu, 20 Feb 2020 08:10:25 GMT

sorry i send it in 2 minutes

Re: help on eval field which returns any results

jip31 — Thu, 20 Feb 2020 08:21:25 GMT

https://www.cjoint.com/c/JBuitvtTFoD

Re: help on eval field which returns any results

to4kawa — Thu, 20 Feb 2020 09:21:19 GMT

look between Value 3149 and 2218
there is null field.
why?

Re: help on eval field which returns any results

nickhills — Thu, 20 Feb 2020 09:46:39 GMT

As suspected, your events are riddled with null values - you are getting the physical memory and FreeMemory (Value) from different events.

Try this (i have made some assumptions about host and _time) but see how this looks

 | fields _time host Value TotalPhysicalMemory 
 | bin span=5m _time
 | stats latest(Value) as FreeMemory latest(TotalPhysicalMemory) as TotalPhysicalMemory by host,_time
 | eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 0) 
 | eval MemoryUsage = round((TotalMemory-FreeMemory) / TotalMemory*100, 2) 
 | eval Free Memory='Free Memory'." MB", Total Memory='Total Memory'." MB", Memory Usage='Memory Usage'." %"
 |table _time host TotalMemory FreeMemory MemoryUsage

Re: help on eval field which returns any results

jip31 — Thu, 20 Feb 2020 09:46:40 GMT

Ok but I dont use | table in my search but stats by host
what I dont understand is that when i am doing a stats by host I have a value for all fields except MemoryUsage
So why I cant calculate this field??

Re: help on eval field which returns any results

nickhills — Thu, 20 Feb 2020 09:46:41 GMT

Because you are doing the stats (which merges the events) after the calculations have failed. My above example moves the stats before the calculations.

Re: help on eval field which returns any results

jip31 — Thu, 20 Feb 2020 10:29:46 GMT

thanks for your precious support!