topic Re: help on eval in Splunk Search

help on eval

jip31 — Sat, 14 Jul 2018 08:20:27 GMT

hello
i try to use the code below but everytimes i have an issue of quote or parenthesis even if i do modifications:

| timechart span=10m eval(avg(if host=="$field1$",PercentProcessorTime,NULL)) as PercentProcessorTime_AVG by host 
OR eval(avg(if host=="$field2$",PercentProcessorTime,NULL)) as PercentProcessorTime_AVG by host

could you help me please

Re: help on eval

renjith_nair — Sat, 14 Jul 2018 10:28:35 GMT

Hi @jip31,

You need to enclose arguments of the if statement in a parenthesis like

| timechart span=10m eval(avg(if(host=="$field1$",PercentProcessorTime,NULL))) as PercentProcessorTime_AVG by host

Reference :
https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Usestatswithevalexpressionsandfunctions#Example_1:_Distinct_counts_of_matching_events

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval#2._Use_the_if_function_to_analyze_field_values

Re: help on eval

woodcock — Sat, 14 Jul 2018 21:39:45 GMT

Try this:

| timechart span=10m avg(eval(if(host=="$field1$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG1
                     avg(eval(if(host=="$field2$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG2 BY host

Re: help on eval

jip31 — Mon, 16 Jul 2018 08:05:34 GMT

Hello i have an issue
https://www.cjoint.com/c/HGqh71VI8M0
could you help me please?

index="windows-wmi" sourcetype="WMI:CPUload"  host="$field1$" OR host="$field2$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
 | rex field=Name "^(?<Service>[^\/]+)[\/]" 
 | eval key=Service."-".host 
 | timechart span=10m avg(eval(if(host=="$field1$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG1
                    avg(eval(if(host=="$field2$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG2 BY host

Re: help on eval

renjith_nair — Mon, 16 Jul 2018 08:26:49 GMT

Hi @jip31 ,
If you want to do a timechart based on host, you could simply do it by

     index="windows-wmi" sourcetype="WMI:CPUload"  host="$field1$" OR host="$field2$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
      | rex field=Name "^(?<Service>[^\/]+)[\/]" 
      | eval key=Service."-".host 
      | timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime BY host

Re: help on eval

jip31 — Mon, 16 Jul 2018 08:26:50 GMT

Many thanks!

Re: help on eval

renjith_nair — Mon, 16 Jul 2018 08:26:51 GMT

@jip31 ,if the above answers your question, you shall accept it or vote it 🙂

Re: help on eval

jip31 — Mon, 16 Jul 2018 11:36:52 GMT

THANKS RENJITH

Re: help on eval

renjith_nair — Mon, 16 Jul 2018 12:44:32 GMT

@jip31 , again you are accepting your own answer. If one of the answer is helpful for you, please accept it or vote for it 🙂 .
@asiddique_splunk might be able to help you!

Re: help on eval

woodcock — Mon, 16 Jul 2018 14:15:44 GMT

Did you mean to click Accept here?