https://community.splunk.com/t5/Splunk-Search/Unable-to-use-eval-with-stats/m-p/102054#M26362 <P>Hi.. do want to sum up all fields. Or is it just one. Since I don't have your data to play with, I used access_combined logs with clientip and status instead of id and uid.</P> <P>From what I understand in your query, your first stats command will give you two columns, and then you filter one out with the fields command. Then you just have id left.</P> <P>See edit of original answer for more info.</P> Tue, 01 Nov 2011 23:30:33 GMT kristian_kolb 2011-11-01T23:30:33Z https://community.splunk.com/t5/Splunk-Search/Unable-to-use-eval-with-stats/m-p/102051#M26359 <P>How do I use eval in below query to add hard coded value, say 1000 to the final count?</P> <PRE><CODE>index=myindex | stats first(id) by uid | fields – uid | stats sum() </CODE></PRE> <P>I tried using </P> <PRE><CODE>index=myindex | stats first(id) by uid | fields – uid | stats eval(1000 + sum()) </CODE></PRE> <P>but the eval does not work with stats…</P> <P>Any help is much appreciated!</P> <P>Thanks!</P> Tue, 01 Nov 2011 22:23:41 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-use-eval-with-stats/m-p/102051#M26359 freephoneid 2011-11-01T22:23:41Z https://community.splunk.com/t5/Splunk-Search/Unable-to-use-eval-with-stats/m-p/102052#M26360 <P>Hmm, not really sure about what you're trying to accomplish, but adding a static value is quite simple. Since I don't really understand your goals, I'll illustrate it with adding 1000 to the http-status value in an access_combined log.</P> <PRE><CODE>sourcetype=access_combined | eval status=status+1000 | stats values(status) AS new_status by clientip </CODE></PRE> <P>This results in a table like</P> <PRE><CODE>clientip new_status ---------------------- 1.2.3.4 1404 1200 1503 1.2.3.5 1200 1302 </CODE></PRE> <P>Hope this helps a little bit at least. Feel free to give more information on what you want to achieve.</P> <P>UPDATE: would the following search give the same results as what you have right now, i.e. not adding the 1000?</P> <PRE><CODE>index=myindex | stats first(id) AS temp_id by uid | stats sum(temp_id) </CODE></PRE> <P>in that case</P> <PRE><CODE>index=myindex | stats first(id) AS temp_id by uid | stats sum(temp_id) AS temp_id | eval temp_id = temp_id +1000 </CODE></PRE> <P>should to the trick. </P> <P>/Kristian</P> Tue, 01 Nov 2011 22:58:14 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-use-eval-with-stats/m-p/102052#M26360 kristian_kolb 2011-11-01T22:58:14Z https://community.splunk.com/t5/Splunk-Search/Unable-to-use-eval-with-stats/m-p/102053#M26361 <P>hi...I want to add hard coded value 1000 to the output of the stats sum()....How can I do this? If index=myindex | stats first(id) by uid | fields – uid | stats sum() gives 500 as output then I want it to be displayed as 1500 as single value...</P> Tue, 01 Nov 2011 23:07:15 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-use-eval-with-stats/m-p/102053#M26361 freephoneid 2011-11-01T23:07:15Z https://community.splunk.com/t5/Splunk-Search/Unable-to-use-eval-with-stats/m-p/102054#M26362 <P>Hi.. do want to sum up all fields. Or is it just one. Since I don't have your data to play with, I used access_combined logs with clientip and status instead of id and uid.</P> <P>From what I understand in your query, your first stats command will give you two columns, and then you filter one out with the fields command. Then you just have id left.</P> <P>See edit of original answer for more info.</P> Tue, 01 Nov 2011 23:30:33 GMT https://community.splunk.com/t5/Splunk-Search/Unable-to-use-eval-with-stats/m-p/102054#M26362 kristian_kolb 2011-11-01T23:30:33Z