https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107271#M27890 <P>You would be <EM>much</EM> better off running:</P> <PRE><CODE>index=sandbox sourcetype=as-cdr | stats count as numCalls count(eval(Termination_Cause=="016")) as numCallsSuccessful | eval callSuccRate = numCallsSuccessful/numCalls | table callSuccRate </CODE></PRE> <P>If your data set is very large, the subsearch will probably run into time limits. With Splunk it is generally a good idea to search the data set and retrieve data just once if possible, rather than running multiple searches or subsearches (particularly if they retrieve the same data or a subset of data).</P> Tue, 21 Dec 2010 10:14:50 GMT gkanapathy 2010-12-21T10:14:50Z https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107269#M27888 <P>For some reason the following isn't working:</P> <PRE><CODE>index="sandbox" sourcetype="as-cdr" |stats count AS numCalls |append [search index="sandbox" sourcetype="as-cdr" Termination_Cause="016"|stats count AS numCallsSuccessful] |eval callSuccRate=numCallsSuccessful/numCalls |table callSuccRate </CODE></PRE> <P>When running the searches separately I get 134 for numCalls, and 90 for numCallsSuccessful. However when I try to evaluate them and print it to a table I get no results found. Can anyone shed some light on what I'm doing wrong?</P> Tue, 21 Dec 2010 09:25:21 GMT https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107269#M27888 msarro 2010-12-21T09:25:21Z https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107270#M27889 <P>I should note I have a few reports I need to generate that use basically this same syntax. Its simple; and I can't quite figure out why its failing. Strangely I have a more complicated search that is working just fine.</P> Tue, 21 Dec 2010 09:44:59 GMT https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107270#M27889 msarro 2010-12-21T09:44:59Z https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107271#M27890 <P>You would be <EM>much</EM> better off running:</P> <PRE><CODE>index=sandbox sourcetype=as-cdr | stats count as numCalls count(eval(Termination_Cause=="016")) as numCallsSuccessful | eval callSuccRate = numCallsSuccessful/numCalls | table callSuccRate </CODE></PRE> <P>If your data set is very large, the subsearch will probably run into time limits. With Splunk it is generally a good idea to search the data set and retrieve data just once if possible, rather than running multiple searches or subsearches (particularly if they retrieve the same data or a subset of data).</P> Tue, 21 Dec 2010 10:14:50 GMT https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107271#M27890 gkanapathy 2010-12-21T10:14:50Z https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107272#M27891 <P>That actually fixed my issue, AND its a good pointer. Now I have to go and revisit some prior items I had done before <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thanks!</P> Tue, 21 Dec 2010 10:41:21 GMT https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107272#M27891 msarro 2010-12-21T10:41:21Z https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107273#M27892 <P>Hi splunkers! </P> <P>I have to filter all the results of this field since 04/12/2018 until 04/12/2019 but when I do this search, it doesn't work , it comes results since from 2006!</P> <P>I have tried using date time picker , but its still not working too.</P> <P>How am I supposed to search? Do I have to use eval or another specific command?</P> <P>Thank you friends.</P> <P>![a</P> Fri, 12 Apr 2019 20:00:43 GMT https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107273#M27892 lucasdc 2019-04-12T20:00:43Z https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107274#M27893 <P>Hi splunkers!</P> <P>I have to filter all the results of this field since 04/12/2018 until 04/12/2019 but when I do this search, it doesn't work , it comes results since from 2006!</P> <P>I have tried using date time picker , but its still not working too.</P> <P>How am I supposed to search? Do I have to use eval or another specific command?</P> <P>Query:</P> <P>index="db_archer2" earliest=-8760h latest=now()<BR /> | fields "Nome do Projeto"<BR /> | dedup "Nome do Projeto"<BR /> | eval Hoje= now()<BR /> | eval Hoje= now()-8760<BR /> | convert ctime(Hoje) ctime()<BR /> | stats dc</P> <P>PS: The result was supposed to be 25 events.</P> <P>Thanks!!</P> Mon, 15 Apr 2019 13:46:26 GMT https://community.splunk.com/t5/Splunk-Search/Eval-statement-not-working/m-p/107274#M27893 lucasdc 2019-04-15T13:46:26Z