Splunk Dev
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: getting error with stats
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
03-30-2018
08:37 AM
i have numbers in Yes and Total columns and am trying to get a result using stats . but i keep getting error. not sure how to do this, can you help.
|stats eval(Yes/Total)*100 as Compliance
Error in 'stats' command: The aggregation specifier 'eval(Yes/Total)*100' is invalid. The aggregation specifier must be in func_name format.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
03-30-2018
08:53 AM
you cannot use eval inside of a stats command like that. try forming it more like this
|eval Compliance=(Yes/Total)*100)|stats values(Compliance) as Compliance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
03-30-2018
08:53 AM
you cannot use eval inside of a stats command like that. try forming it more like this
|eval Compliance=(Yes/Total)*100)|stats values(Compliance) as Compliance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
03-30-2018
09:01 AM
Hi , thanks for your response, i tried what you gave above, but it did not give me the correct output.
the output of Yes, Total and Compliance is below. its already updated. what i am trying is to get the average value of Compliance. if i do avg(compliance) i get a different value and if i do sum(yes)/sum(total)*100 for compliance i get a different value, which is the correct one.
could you help me get the correct average from this table using stats or any other way.
Yes Total Compliance
0 1 0
0 4 0
1 1 100
224 225 99.56
5 5 100
15 15 100
88 92 95.65
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
03-30-2018
09:31 AM
how about something like this?
...|addcoltotals labelfield=Compliance|search Compliance="Total"|eval Compliance=(Yes/Total)*100
i put your data in this table so you can see what i did:
|makeresults|eval data="Yes=0,Total=1,Compliance=0 Yes=0,Total=4,Compliance=0 Yes=1,Total=1,Compliance=100 Yes=224,Total=225,Compliance=99.56 Yes=5,Total=5,Compliance=100 Yes=15,Total=15,Compliance=100 Yes=88,Total=92,Compliance=99.65"|makemv data|mvexpand data|rename data as _raw|kv|table Yes Total Compliance|addcoltotals labelfield=Compliance|search Compliance="Total"|eval Compliance=(Yes/Total)*100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
03-31-2018
02:16 PM
it did help me . thanks
Get Updates on the Splunk Community!
See just what you’ve been missing | Observability tracks at Splunk University
Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...
Weezer at .conf25? Say it ain’t so!
Hello Splunkers,
The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...
How SC4S Makes Suricata Logs Ingestion Simple
Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...
