Splunk Dev
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: getting error with stats
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
03-30-2018
08:37 AM
i have numbers in Yes and Total columns and am trying to get a result using stats . but i keep getting error. not sure how to do this, can you help.
|stats eval(Yes/Total)*100 as Compliance
Error in 'stats' command: The aggregation specifier 'eval(Yes/Total)*100' is invalid. The aggregation specifier must be in func_name format.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
03-30-2018
08:53 AM
you cannot use eval inside of a stats command like that. try forming it more like this
|eval Compliance=(Yes/Total)*100)|stats values(Compliance) as Compliance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
03-30-2018
08:53 AM
you cannot use eval inside of a stats command like that. try forming it more like this
|eval Compliance=(Yes/Total)*100)|stats values(Compliance) as Compliance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
03-30-2018
09:01 AM
Hi , thanks for your response, i tried what you gave above, but it did not give me the correct output.
the output of Yes, Total and Compliance is below. its already updated. what i am trying is to get the average value of Compliance. if i do avg(compliance) i get a different value and if i do sum(yes)/sum(total)*100 for compliance i get a different value, which is the correct one.
could you help me get the correct average from this table using stats or any other way.
Yes Total Compliance
0 1 0
0 4 0
1 1 100
224 225 99.56
5 5 100
15 15 100
88 92 95.65
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
03-30-2018
09:31 AM
how about something like this?
...|addcoltotals labelfield=Compliance|search Compliance="Total"|eval Compliance=(Yes/Total)*100
i put your data in this table so you can see what i did:
|makeresults|eval data="Yes=0,Total=1,Compliance=0 Yes=0,Total=4,Compliance=0 Yes=1,Total=1,Compliance=100 Yes=224,Total=225,Compliance=99.56 Yes=5,Total=5,Compliance=100 Yes=15,Total=15,Compliance=100 Yes=88,Total=92,Compliance=99.65"|makemv data|mvexpand data|rename data as _raw|kv|table Yes Total Compliance|addcoltotals labelfield=Compliance|search Compliance="Total"|eval Compliance=(Yes/Total)*100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
03-31-2018
02:16 PM
it did help me . thanks
Get Updates on the Splunk Community!
Security Professional: Sharpen Your Defenses with These .conf25 Sessions
Sooooooooooo, guess what.
.conf25 is almost here, and if you're on the Security Learning Path, this is your ...
First Steps with Splunk SOAR
Our first step was to gather a list of the playbooks we wanted and to sort them by priority. Once this list ...
How To Build a Self-Service Observability Practice with Splunk Observability Cloud
If you’ve read our previous post on self-service observability, you already know what it is and why it ...
