Splunk Enterprise

Help on eval in a stats command

jip31
Motivator

hello

I triy to add a condition in my eval command

 

| stats  sum(eval(retrans_bytes)) as retrans by site

 

 So I need to do something like this but it doesnt works

 

| stats  sum(eval(retrans_bytes) AND (process="view.exe" OR netproc_process="remotemks.exe")) as retrans by site

 

 could you help please?

Labels (1)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The eval stats operation is somewhat incompletely and confusingly described in docs (I have to submit a feedback if I remember it when I get home).

A simple (or complex) condition is silently cast to 0/1 as true/false. That means that for a count() aggregation it works pretty well. But for other functions you have to manually specify a value which will be aggregated.

You might think of

stats agg(eval(expression))

as

eval var=expression | stats agg(var)

So what you need is (if I understand the logic of your condition)

stats sum(if(process="view.exe" OR netproc_process="remotemks.exe",retrans_bytes,null())) as [...]

In your particular case you can use 0 instead of null() because it doesn't skew the results but for other aggregations null() is better because splunk doesn't aggregate null fields so they are filtered out.

0 Karma

jip31
Motivator

So considering my need, is it ok to do this :

stats sum(if(process="view.exe" OR netproc_process="remotemks.exe",retrans_bytes,null())) as retrans1, sum(if(process=*, retrans_bytes,null())) as retrans2

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Close but not quite. I didn't count the parentheses 😉

But more importantly, the comparison in if is not a search operator but a simple equality comparison.  So you can't do

if(index=*,...)

If I remember correctly, there is another function for that - check match() or searchmatch()

0 Karma

jip31
Motivator

sorry but i am unable to apply it and not sure that my need is well understanded

`index` (sourcetype="netproc" netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe") 
| fields netproc_tcp_retrans_bytes site 
| stats sum(netproc_tcp_retrans_bytes) as retrans by site

Actually I sum the field  "netproc_tcp_retrans_bytes" like this

what I need is to use the netproc_process field not in the sourcetype but only in the stats command

so I need something like this but I dont succeed to write this

`index` (sourcetype="netproc_tcp" netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe") 
| fields netproc_tcp_retrans_bytes site 
| stats sum(eval(netproc_tcp_retrans_bytes AND netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe")) as retrans by site

So is anybody can help me please?

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You're most probably not understood correctly. You keep repeating "I'm trying to do 'this' but 'this' is written wrongly".

How are we supposed to know what you're trying to achieve then?

Try to rephrase it and tell us what is the problem you're trying to solve without using SPL.

Alternatively, use the other approach I showed you before - don't do stats(eval) because it does get confusing at times, but try to eval an additional field(s) first and then aggregate simply on this field (or fields).

marysan
Communicator

this must work for you :
|your code ...
|search process="view.exe" OR netproc_process="remotemks.exe"
| stats sum(retrans_bytes)  as retrans  by site

Tags (1)
0 Karma

jip31
Motivator

I know but it's not my needs because I must use 2 different condition in my stats command from the same field

something like this

 

| stats sum(eval(retrans_bytes) AND (process="view.exe" OR netproc_process="remotemks.exe")) as retrans, sum(eval(retrans_bytes) AND (process=*)) as retrans2 by site

 

 

0 Karma

marysan
Communicator

dear friend your query doesn't show different conditions :
one hand: (process="view.exe" OR netproc_process="remotemks.exe") and the other hand (process=*) !!
first condition is a subset of second condition

but I suppose that this must work for your target:
| eval flag=if(process="view.exe" OR netproc_process="remotemks.exe",1,0)

| stats sum(returnts_bytes) as returns_bytes by site,flag

0 Karma

jip31
Motivator

Pearhaps i explain badly

But what I need is to stats sum separatively process="view.exe" OR netproc_process="remotemks.exe") and netproc-process=* because I need to calculate à ratio between these 2 fields

So first condition is not a subset of second condition!

So i need to build 2 différents stats sum(eval....) with these 2 différents conditions....

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...