I triy to add a condition in my eval command
| stats sum(eval(retrans_bytes)) as retrans by site
So I need to do something like this but it doesnt works
| stats sum(eval(retrans_bytes) AND (process="view.exe" OR netproc_process="remotemks.exe")) as retrans by site
could you help please?
The eval stats operation is somewhat incompletely and confusingly described in docs (I have to submit a feedback if I remember it when I get home).
A simple (or complex) condition is silently cast to 0/1 as true/false. That means that for a count() aggregation it works pretty well. But for other functions you have to manually specify a value which will be aggregated.
You might think of
stats agg(eval(expression))
eval var=expression | stats agg(var)
So what you need is (if I understand the logic of your condition)
stats sum(if(process="view.exe" OR netproc_process="remotemks.exe",retrans_bytes,null())) as [...]
In your particular case you can use 0 instead of null() because it doesn't skew the results but for other aggregations null() is better because splunk doesn't aggregate null fields so they are filtered out.
So considering my need, is it ok to do this :
stats sum(if(process="view.exe" OR netproc_process="remotemks.exe",retrans_bytes,null())) as retrans1, sum(if(process=*, retrans_bytes,null())) as retrans2
Close but not quite. I didn't count the parentheses 😉
But more importantly, the comparison in if is not a search operator but a simple equality comparison. So you can't do
If I remember correctly, there is another function for that - check match() or searchmatch()
sorry but i am unable to apply it and not sure that my need is well understanded
`index` (sourcetype="netproc" netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe")
| fields netproc_tcp_retrans_bytes site
| stats sum(netproc_tcp_retrans_bytes) as retrans by site
Actually I sum the field "netproc_tcp_retrans_bytes" like this
what I need is to use the netproc_process field not in the sourcetype but only in the stats command
so I need something like this but I dont succeed to write this
`index` (sourcetype="netproc_tcp" netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe")
| fields netproc_tcp_retrans_bytes site
| stats sum(eval(netproc_tcp_retrans_bytes AND netproc_process="vmware-view.exe" OR netproc_process="vmware.remotemks.exe")) as retrans by site
So is anybody can help me please?
You're most probably not understood correctly. You keep repeating "I'm trying to do 'this' but 'this' is written wrongly".
How are we supposed to know what you're trying to achieve then?
Try to rephrase it and tell us what is the problem you're trying to solve without using SPL.
Alternatively, use the other approach I showed you before - don't do stats(eval) because it does get confusing at times, but try to eval an additional field(s) first and then aggregate simply on this field (or fields).
this must work for you :
|your code ...
|search process="view.exe" OR netproc_process="remotemks.exe"
| stats sum(retrans_bytes) as retrans by site
I know but it's not my needs because I must use 2 different condition in my stats command from the same field
something like this
| stats sum(eval(retrans_bytes) AND (process="view.exe" OR netproc_process="remotemks.exe")) as retrans, sum(eval(retrans_bytes) AND (process=*)) as retrans2 by site
dear friend your query doesn't show different conditions :
one hand: (process="view.exe" OR netproc_process="remotemks.exe") and the other hand (process=*) !!
first condition is a subset of second condition
but I suppose that this must work for your target:
| eval flag=if(process="view.exe" OR netproc_process="remotemks.exe",1,0)
| stats sum(returnts_bytes) as returns_bytes by site,flag
Pearhaps i explain badly
But what I need is to stats sum separatively process="view.exe" OR netproc_process="remotemks.exe") and netproc-process=* because I need to calculate à ratio between these 2 fields
So first condition is not a subset of second condition!
So i need to build 2 différents stats sum(eval....) with these 2 différents conditions....