Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a new row in stats using values from previous search?

Vivekmishra01
Explorer
‎03-09-2023 09:49 AM

I want to add new row to my search result using values from the previous result. Basically I am counting few strings and I want to display percent of that matched string in a new row using some mathematical operators or function. Below is what I have done. My first query works fine but second query in append is giving error.

Error is: Error in 'eval' command: The expression is malformed. Expected AND.

 

 

 

index="12345" "Kubernetes.namespace"="testnamespace"
| bin _time
| stats count(eval(searchmatch("String1"))) AS Success
count(eval(searchmatch("string2"))) AS Sent
count(eval(searchmatch("string3"))) AS Failed
| append [ stats eval Success_percent= Success/(Success+Sent +Failed) AS Success
eval Sent_Percent= Sent/(Success+Sent +Failed) AS Sent
eval Failed_percent= Failed/(Success+Sent +Failed) AS Failed ]
| transpose 0 column_name="Status" | rename "row 1" as Count | rename "row 2" as "Percent"

 

 

 

Labels (2)
Labels
Tags (2)
Preview file
3 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-09-2023 11:51 AM

I think you need the appendpipe command rather than append.  As @skramp said, however, the subsearch is rubbish so either command will fail.

...
| appendpipe [ eval Success_percent = Success/(Success+Sent +Failed),
    Sent_Percent= Sent/(Success+Sent +Failed), 
    Failed_percent= Failed/(Success+Sent +Failed) ]
...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

Vivekmishra01
Explorer
‎03-10-2023 08:17 AM

This is not exactly what I was looking for, but it helped. "appendpipe" exactly gave me what I was looking for. Thanks.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-09-2023 11:51 AM

I think you need the appendpipe command rather than append.  As @skramp said, however, the subsearch is rubbish so either command will fail.

...
| appendpipe [ eval Success_percent = Success/(Success+Sent +Failed),
    Sent_Percent= Sent/(Success+Sent +Failed), 
    Failed_percent= Failed/(Success+Sent +Failed) ]
...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

skramp
SplunkTrust
SplunkTrust
‎03-09-2023 10:28 AM

Your syntax is invalid. By an append command you start a complete ausbrächte which could start with | search index=abcd … . And then an eval could follow but then you don’t need a stats in front of it.

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...