- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help on eval in a stats command
hello
I triy to add a condition in my eval command
| stats sum(eval(retrans_bytes)) as retrans by site
So I need to do something like this but it doesnt works
| stats sum(eval(retrans_bytes) AND (process="view.exe" OR netproc_process="remotemks.exe")) as retrans by site
could you help please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The eval stats operation is somewhat incompletely and confusingly described in docs (I have to submit a feedback if I remember it when I get home).
A simple (or complex) condition is silently cast to 0/1 as true/false. That means that for a count() aggregation it works pretty well. But for other functions you have to manually specify a value which will be aggregated.
You might think of
stats agg(eval(expression))
as
eval var=expression | stats agg(var)
So what you need is (if I understand the logic of your condition)
stats sum(if(process="view.exe" OR netproc_process="remotemks.exe",retrans_bytes,null())) as [...]
In your particular case you can use 0 instead of null() because it doesn't skew the results but for other aggregations null() is better because splunk doesn't aggregate null fields so they are filtered out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So considering my need, is it ok to do this :
stats sum(if(process="view.exe" OR netproc_process="remotemks.exe",retrans_bytes,null())) as retrans1, sum(if(process=*, retrans_bytes,null())) as retrans2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Close but not quite. I didn't count the parentheses 😉
But more importantly, the comparison in if is not a search operator but a simple equality comparison. So you can't do
if(index=*,...)
If I remember correctly, there is another function for that - check match() or searchmatch()
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry but i am unable to apply it and not sure that my need is well understanded
`index` (sourcetype="netproc" netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe")
| fields netproc_tcp_retrans_bytes site
| stats sum(netproc_tcp_retrans_bytes) as retrans by site
Actually I sum the field "netproc_tcp_retrans_bytes" like this
what I need is to use the netproc_process field not in the sourcetype but only in the stats command
so I need something like this but I dont succeed to write this
`index` (sourcetype="netproc_tcp" netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe")
| fields netproc_tcp_retrans_bytes site
| stats sum(eval(netproc_tcp_retrans_bytes AND netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe")) as retrans by site
So is anybody can help me please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're most probably not understood correctly. You keep repeating "I'm trying to do 'this' but 'this' is written wrongly".
How are we supposed to know what you're trying to achieve then?
Try to rephrase it and tell us what is the problem you're trying to solve without using SPL.
Alternatively, use the other approach I showed you before - don't do stats(eval) because it does get confusing at times, but try to eval an additional field(s) first and then aggregate simply on this field (or fields).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this must work for you :
|your code ...
|search process="view.exe" OR netproc_process="remotemks.exe"
| stats sum(retrans_bytes) as retrans by site
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know but it's not my needs because I must use 2 different condition in my stats command from the same field
something like this
| stats sum(eval(retrans_bytes) AND (process="view.exe" OR netproc_process="remotemks.exe")) as retrans, sum(eval(retrans_bytes) AND (process=*)) as retrans2 by site
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dear friend your query doesn't show different conditions :
one hand: (process="view.exe" OR netproc_process="remotemks.exe") and the other hand (process=*) !!
first condition is a subset of second condition
but I suppose that this must work for your target:
| eval flag=if(process="view.exe" OR netproc_process="remotemks.exe",1,0)
| stats sum(returnts_bytes) as returns_bytes by site,flag
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pearhaps i explain badly
But what I need is to stats sum separatively process="view.exe" OR netproc_process="remotemks.exe") and netproc-process=* because I need to calculate à ratio between these 2 fields
So first condition is not a subset of second condition!
So i need to build 2 différents stats sum(eval....) with these 2 différents conditions....