Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'stats' command: The number of wildcards between field specifier '((Success/Total)*100).%' and rename specifier

Nafees
Explorer
‎03-13-2023 12:25 AM

Hi There,

I am running below query,

base search | rename msg.message as "message", msg.customer as "customer" | stats count as Total, count(eval(isnull(msg.errorCode))) as Success, count(eval(isnotnull(msg.errorCode))) as Error, eval(((Success/Total)*100)."%") as SuccessRate by customer

and I am getting below error.

Error in 'stats' command: The number of wildcards between field specifier '((Success/Total)*100).%' and rename specifier 'SuccessRate' do not match. Note: empty field specifiers implies all fields, e.g. sum() == sum(*).

Can anyone please tell me where I am wrong?

basically I want to calculate a percent of total successful events here.

Thanks!!!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-13-2023 12:35 AM

Hi @Nafees,

you can use the eval command in stats, but only to filter results for a function, not for calculation, please try this:

base search 
| rename msg.message as "message", msg.customer as "customer" 
| stats 
   count AS Total
   count(eval(isnull(msg.errorCode))) AS Success 
   count(eval(isnotnull(msg.errorCode))) AS Error
   BY customer
| eval SuccessRate=(((Success/Total)*100)."%")

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Nafees
Explorer
‎03-13-2023 12:46 AM

yes @gcusello , my apologies. Its working fine, I got confused at the start but when I tried this, it is working now. Thanks for your help as always. 🙂 One more Karma is on its way for you !!! 🙂

0 Karma
Reply
Solved! Jump to solution

Nafees
Explorer
‎03-13-2023 12:38 AM

Hi @gcusello ,

thanks for response, but I want to show Total, Success and Success Rate in one table which is grouped by the customers. How to do that then?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-13-2023 12:40 AM

Hi @Nafees,

did you tried my solution?

with it you have, for each customer, Total, Success and Success Rate on the same row.

What's the issue?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-13-2023 12:35 AM

Hi @Nafees,

you can use the eval command in stats, but only to filter results for a function, not for calculation, please try this:

base search 
| rename msg.message as "message", msg.customer as "customer" 
| stats 
   count AS Total
   count(eval(isnull(msg.errorCode))) AS Success 
   count(eval(isnotnull(msg.errorCode))) AS Error
   BY customer
| eval SuccessRate=(((Success/Total)*100)."%")

Ciao.

Giuseppe

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-13-2023 06:03 AM

Actually, while your solution as such is OK, the underlying explanation is not.

As I wrote in a feedback to the docs (which should have been included already, but for some reason still isn't), it works a bit different than just filtering.

The expression provided in eval() statement is evaluated and - true/false in case of count() is treated the same way as not null/null. That's why count(eval(a>b)) works like filtering. But that's due to implicit operations performed on the eval result. But understanding stats with eval() as filtering leads to wrongly built searches and/or bad results.

| stat agg(eval(expression))

is equivalent (remembering about the implicit conversion and the fact that you can't assign a boolean value to a field) to

| eval b=expression | stat agg(b)

Since stat with eval is often used with count as aggregation function, it might be indeed interpreted as filtering but it is not.

Example:

| makeresults count=10 
| streamstats count
| stats count(eval(count>4)) as c4
              sum(eval(count>4)) as s4
              sum(eval(if(count>4,count,null()))) as si4
              sum(eval(count*count)) as cs4

As you can see from this run-anywhere example, the count will give you proper number of events which have the count number higher than 4. There are of course 6 such events. But you can't sum booleans so the s4 field will be null. But the si4 field will contain sum of all count fields with value bigger than 4 and cs4 will contain sum of squares of all values of field count.

The reason for OP's error was lack of aggregation function, not eval as such.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...