https://community.splunk.com/t5/Splunk-Search/Problem-getting-count-eval-from-chart-command/m-p/101007#M26100 <P>Trying to emulate <A href="http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Chart#Example_1" rel="nofollow">example given here</A>, but totals always come up zero. Basic search returns over 1,000 events for a 4 hour period, containing 4 eventcodes: 636, 637, 4732, 4733.</P> <PRE><CODE>"ConfigMgr Remote" |chart count(Eval(EventCode="636")) AS Added, count(Eval(EventCode="637")) AS Removed </CODE></PRE> <P>Splunk GUI returns: Specified field(s) missing from results: 'Eval(EventCode=636)', 'Eval(EventCode=637)' </P> <P>Have also tried if, case, and like functions of eval (with &amp; without quoted aurguments):</P> <PRE><CODE>"ConfigMgr Remote" |chart count(Eval(If EventCode == "636", "1", "0")) AS Added, count(Eval(Case EventCode == "637", 1, EventCode == 4733, 1)) AS Removed, count(Eval(like, Message, "%removed%")) AS Removed2 </CODE></PRE> <P><A href="http://answers.splunk.com/questions/2295/how-come-some-fields-disappear-when-they-go-into-timechart-chart" rel="nofollow">Answer here</A> looks promising, but can't get bin and stats to work either. </P> <P>Final goal, after I get the basic chart to work, is to change to timechart:</P> <PRE><CODE>"ConfigMgr Remote" |timechart count(Eval(EventCode="636" OR EventCode="4732")) AS Added, count(Eval(EventCode="637" OR EventCode="4733")) AS Removed </CODE></PRE> Wed, 08 Dec 2010 06:01:09 GMT rgcox1 2010-12-08T06:01:09Z https://community.splunk.com/t5/Splunk-Search/Problem-getting-count-eval-from-chart-command/m-p/101007#M26100 <P>Trying to emulate <A href="http://www.splunk.com/base/Documentation/4.1.6/SearchReference/Chart#Example_1" rel="nofollow">example given here</A>, but totals always come up zero. Basic search returns over 1,000 events for a 4 hour period, containing 4 eventcodes: 636, 637, 4732, 4733.</P> <PRE><CODE>"ConfigMgr Remote" |chart count(Eval(EventCode="636")) AS Added, count(Eval(EventCode="637")) AS Removed </CODE></PRE> <P>Splunk GUI returns: Specified field(s) missing from results: 'Eval(EventCode=636)', 'Eval(EventCode=637)' </P> <P>Have also tried if, case, and like functions of eval (with &amp; without quoted aurguments):</P> <PRE><CODE>"ConfigMgr Remote" |chart count(Eval(If EventCode == "636", "1", "0")) AS Added, count(Eval(Case EventCode == "637", 1, EventCode == 4733, 1)) AS Removed, count(Eval(like, Message, "%removed%")) AS Removed2 </CODE></PRE> <P><A href="http://answers.splunk.com/questions/2295/how-come-some-fields-disappear-when-they-go-into-timechart-chart" rel="nofollow">Answer here</A> looks promising, but can't get bin and stats to work either. </P> <P>Final goal, after I get the basic chart to work, is to change to timechart:</P> <PRE><CODE>"ConfigMgr Remote" |timechart count(Eval(EventCode="636" OR EventCode="4732")) AS Added, count(Eval(EventCode="637" OR EventCode="4733")) AS Removed </CODE></PRE> Wed, 08 Dec 2010 06:01:09 GMT https://community.splunk.com/t5/Splunk-Search/Problem-getting-count-eval-from-chart-command/m-p/101007#M26100 rgcox1 2010-12-08T06:01:09Z https://community.splunk.com/t5/Splunk-Search/Problem-getting-count-eval-from-chart-command/m-p/101008#M26101 <P><CODE>eval()</CODE> needs to be written with a lower-case <CODE>e</CODE>, not upper-case <CODE>E</CODE>. I believe the same is true of <CODE>if()</CODE></P> Wed, 08 Dec 2010 15:10:29 GMT https://community.splunk.com/t5/Splunk-Search/Problem-getting-count-eval-from-chart-command/m-p/101008#M26101 gkanapathy 2010-12-08T15:10:29Z https://community.splunk.com/t5/Splunk-Search/Problem-getting-count-eval-from-chart-command/m-p/101009#M26102 <P>Thanks - one day maybe I'll get used to the case sensitivity almost everywhere!</P> Thu, 09 Dec 2010 00:16:28 GMT https://community.splunk.com/t5/Splunk-Search/Problem-getting-count-eval-from-chart-command/m-p/101009#M26102 rgcox1 2010-12-09T00:16:28Z