topic Re: How to use differnt Eval statement for the same column in Splunk Search

How to use differnt Eval statement for the same column

Michael_Schyma1 — Mon, 28 Sep 2020 12:24:09 GMT

Hello everyone, I am trying to create a search that will tell me yesterdays total usage. We have both a dev and a production enviornment and i would like to create a search that takes the 2GB that are allocated to the dev and the 19 GB that are allocated to the production and show a percentage based off of that. Where i have ((volume/18)*100) is applied to both the dev and the prod and gives it a wrong number for the dev since i only want to divide by 2. Does anyone have any idea of how to seperate the eval statement that I have so that one is attached to dev ((volume/2)*100) and the other to production ((volume/18)*100). This will give me the proper percentages, or maybe another way to do this. Thank you,

Here is my Search:

index=_internal source=*license_usage* type=Usage | eval GB=b/1024/1024/1024  | bucket _time span=1d | stats sum(GB) AS volume by _time pool | eval percent_difference=((volume/18)*100) |fields _time pool volume percent_difference|rename _time AS Date/Time pool AS Pool volume AS Volume(GB) percent_difference AS Percent(%)| convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(Date/Time)

Updated Serach: ( Still having problem on getting the percentages to display)

index=_internal source=license_usage type=Usage | eval GB=b/1024/1024/1024| eval Percent(%)=case(type="Splunk Development",((volume/2)*100), type="auto_generated_pool_enterprise",((volume/18)*100))   | bucket _time span=1d | stats sum(GB) AS volume by _time pool |fields _time pool volume percent_difference|rename _time AS Date/Time pool AS Pool volume AS Volume(GB) percent_difference AS Percent(%)| convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(Date/Time)

Re: How to use differnt Eval statement for the same column

MHibbin — Fri, 07 Sep 2012 15:57:25 GMT

if you have a another column/field that defines production/development (you could always create one using eval and case statements), you could use that field in a case statement, something like

..| eval percent_difference=case(type==prod,((volume/18)*100), type==dev, ((volume/2)*100))|..

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eval
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

Hope this helps.

MHibbin

Re: How to use differnt Eval statement for the same column

Michael_Schyma1 — Fri, 07 Sep 2012 15:59:41 GMT

Thank you, I was just thinking maybe i can create another static field that just has 18 and 2 in them and divide volume by that, but i am not sure how to create a static number that is not in the log files. Im going to give what you said a shot. Thank you again.

Re: How to use differnt Eval statement for the same column

Michael_Schyma1 — Fri, 07 Sep 2012 16:06:34 GMT

I am getting a weird error when I place that into my search:

Error in 'eval' command: The expression is malformed. Expected ).

Re: How to use differnt Eval statement for the same column

MHibbin — Fri, 07 Sep 2012 16:15:37 GMT

Try putting prod and dev in quotations.

If that doesn't work please paste your new search string here

Re: How to use differnt Eval statement for the same column

Michael_Schyma1 — Fri, 07 Sep 2012 17:23:44 GMT

I have figured it out so i do not get the error, but it is still not returning results. The updates search is in the original question. Thank you

Re: How to use differnt Eval statement for the same column

Michael_Schyma1 — Mon, 10 Sep 2012 18:20:26 GMT

This is still not working, Any other suggestions.