topic Re: Adding two field values in Splunk Search

Adding two field values

mbolostk — Tue, 11 Oct 2011 22:17:38 GMT

I have been unable to add two field values and use the new value of a new column

I'm trying to take one field, multiply it by .60 then add that to another field that has been multiplied by .40. This is how I thought it would be created:

eval NewValue=(FirstValue*.60)+(SecondValue*.40)

I've verified that: | stats values(FirstValue) | and | stats values(SecondValue) | print out expected results

Any ideas/thoughts?

Re: Adding two field values

dwaddle — Tue, 11 Oct 2011 23:25:32 GMT

It doesn't make sense why this would not work. It could be a misspelling or a CamelCaseProblem. I did a simple comparison search on my Splunk test instance:

index=_internal source="*metrics.log" per_source_thruput 
| eval foo=exact(kb*.60)
| eval foo2=exact(kb * .5) 
| eval foo3=foo+foo2 
| eval foo4=exact(kb*.60)+exact(kb*.50) 
| eval error=abs(foo4-foo3) 
| table kb,foo,foo2,foo3,foo4,error

This computes the value of (kb * .6) + (kb * .5) both stepwise and as a single expression, and compares the results. There was occasionally rounding error in the least significant digit, which should be expected with floating point.

Note, however, the use of exact() to make sure the various subexpressions were processed with floating point (instead of integer) maths.

Re: Adding two field values

mbolostk — Mon, 28 Sep 2020 09:58:51 GMT

Maybe a 2nd eye will help me see it. Here is that part:

eval IE_Average=(IE_Response*.60) | eval FF_Average=(FF_Response*.40) | eval Averages=(IE_Average)+(FF_Average) | stats values(IE_Response) values(FF_Response) values(IE_Average) values(FF_Average) values(Averages) by test_name

values(FF_Average) displays column fine
values(IE_Average) displays column fine

But values(Averages) displays nothing....

Re: Adding two field values

dwaddle — Thu, 13 Oct 2011 02:13:07 GMT

Actually, I don't see anything obvious. Unfortunately, the answers site is somewhat messing up your comments (and your question) by taking the * and treating it like the beginning of italics markup. 😞 But, a question - could stats be messing this up somehow? Try this instead:

eval IE_Average=(IE_Response * .60) 
| eval FF_Average=(FF_Response * .40) 
| eval Averages=(IE_Average)+(FF_Average) 
| table IE_Response,FF_Response,IE_Average,FF_Average,Averages

Re: Adding two field values

mbolostk — Thu, 13 Oct 2011 21:17:03 GMT

This is part of a much larger query. When I use table, it switches the order of the columns and displays nothing but the column not related to this part of the query. Any other thoughts/ideas?

Re: Adding two field values

dwaddle — Thu, 13 Oct 2011 23:36:29 GMT

Understood. The swap to table in lieu of stats was to enable testing your search in smaller chunks and see if the problem was related to stats or not.

Re: Adding two field values

SilviaGebel — Thu, 16 Apr 2015 08:00:05 GMT

I know it has been some time since you posted this, but were you able to find a solution? Or does anyone else know an answer to this? I am facing the same problem.

Re: Adding two field values

neeldesai1992 — Wed, 11 Oct 2017 21:16:06 GMT

How did you verify the result of eval NewValue1=(FirstValue*.60)'s result? As eval doesn't printing out the result. then how can you say that you got the right result?

Re: Adding two field values

sandeepmakkena — Tue, 15 Oct 2019 23:31:18 GMT

| eval NewValue = FirstValue*.60
| eval NewValue = SecondValue*.40
| chart count by NewValue
| eventstats sum(count) as total

Hope this helps, please comment if you have any questions.Thanks!

Re: Adding two field values

woodcock — Wed, 16 Oct 2019 01:03:29 GMT

Try this:

... | rex field=FirstValue mode=sed "s/^\s*// s/\s*$//"
| rex field=SecondValue mode=sed "s/^\s*// s/\s*$//"
| eval NewValue = (tonumber(FirstValue) * 0.60) + (tonumber(SecondValue) * 0.40)