Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'stats' command: The number of wildcards between field specifier '((Success/Total)*100).%' and rename specifier

Nafees
Explorer
‎03-13-2023 12:25 AM

Hi There,

I am running below query,

base search | rename msg.message as "message", msg.customer as "customer" | stats count as Total, count(eval(isnull(msg.errorCode))) as Success, count(eval(isnotnull(msg.errorCode))) as Error, eval(((Success/Total)*100)."%") as SuccessRate by customer

and I am getting below error.

Error in 'stats' command: The number of wildcards between field specifier '((Success/Total)*100).%' and rename specifier 'SuccessRate' do not match. Note: empty field specifiers implies all fields, e.g. sum() == sum(*).

Can anyone please tell me where I am wrong?

basically I want to calculate a percent of total successful events here.

Thanks!!!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-13-2023 12:35 AM

Hi @Nafees,

you can use the eval command in stats, but only to filter results for a function, not for calculation, please try this:

base search 
| rename msg.message as "message", msg.customer as "customer" 
| stats 
   count AS Total
   count(eval(isnull(msg.errorCode))) AS Success 
   count(eval(isnotnull(msg.errorCode))) AS Error
   BY customer
| eval SuccessRate=(((Success/Total)*100)."%")

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Nafees
Explorer
‎03-13-2023 12:46 AM

yes @gcusello , my apologies. Its working fine, I got confused at the start but when I tried this, it is working now. Thanks for your help as always. 🙂 One more Karma is on its way for you !!! 🙂

0 Karma
Reply
Solved! Jump to solution

Nafees
Explorer
‎03-13-2023 12:38 AM

Hi @gcusello ,

thanks for response, but I want to show Total, Success and Success Rate in one table which is grouped by the customers. How to do that then?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-13-2023 12:40 AM

Hi @Nafees,

did you tried my solution?

with it you have, for each customer, Total, Success and Success Rate on the same row.

What's the issue?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-13-2023 12:35 AM

Hi @Nafees,

you can use the eval command in stats, but only to filter results for a function, not for calculation, please try this:

base search 
| rename msg.message as "message", msg.customer as "customer" 
| stats 
   count AS Total
   count(eval(isnull(msg.errorCode))) AS Success 
   count(eval(isnotnull(msg.errorCode))) AS Error
   BY customer
| eval SuccessRate=(((Success/Total)*100)."%")

Ciao.

Giuseppe

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-13-2023 06:03 AM

Actually, while your solution as such is OK, the underlying explanation is not.

As I wrote in a feedback to the docs (which should have been included already, but for some reason still isn't), it works a bit different than just filtering.

The expression provided in eval() statement is evaluated and - true/false in case of count() is treated the same way as not null/null. That's why count(eval(a>b)) works like filtering. But that's due to implicit operations performed on the eval result. But understanding stats with eval() as filtering leads to wrongly built searches and/or bad results.

| stat agg(eval(expression))

is equivalent (remembering about the implicit conversion and the fact that you can't assign a boolean value to a field) to

| eval b=expression | stat agg(b)

Since stat with eval is often used with count as aggregation function, it might be indeed interpreted as filtering but it is not.

Example:

| makeresults count=10 
| streamstats count
| stats count(eval(count>4)) as c4
              sum(eval(count>4)) as s4
              sum(eval(if(count>4,count,null()))) as si4
              sum(eval(count*count)) as cs4

As you can see from this run-anywhere example, the count will give you proper number of events which have the count number higher than 4. There are of course 6 such events. But you can't sum booleans so the s4 field will be null. But the si4 field will contain sum of all count fields with value bigger than 4 and cs4 will contain sum of squares of all values of field count.

The reason for OP's error was lack of aggregation function, not eval as such.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...