Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a new row in stats using values from previous search?

Vivekmishra01
Explorer
‎03-09-2023 09:49 AM

I want to add new row to my search result using values from the previous result. Basically I am counting few strings and I want to display percent of that matched string in a new row using some mathematical operators or function. Below is what I have done. My first query works fine but second query in append is giving error.

Error is: Error in 'eval' command: The expression is malformed. Expected AND.

 

 

 

index="12345" "Kubernetes.namespace"="testnamespace"
| bin _time
| stats count(eval(searchmatch("String1"))) AS Success
count(eval(searchmatch("string2"))) AS Sent
count(eval(searchmatch("string3"))) AS Failed
| append [ stats eval Success_percent= Success/(Success+Sent +Failed) AS Success
eval Sent_Percent= Sent/(Success+Sent +Failed) AS Sent
eval Failed_percent= Failed/(Success+Sent +Failed) AS Failed ]
| transpose 0 column_name="Status" | rename "row 1" as Count | rename "row 2" as "Percent"

 

 

 

Labels (2)
Labels
Tags (2)
Preview file
3 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-09-2023 11:51 AM

I think you need the appendpipe command rather than append.  As @skramp said, however, the subsearch is rubbish so either command will fail.

...
| appendpipe [ eval Success_percent = Success/(Success+Sent +Failed),
    Sent_Percent= Sent/(Success+Sent +Failed), 
    Failed_percent= Failed/(Success+Sent +Failed) ]
...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

Vivekmishra01
Explorer
‎03-10-2023 08:17 AM

This is not exactly what I was looking for, but it helped. "appendpipe" exactly gave me what I was looking for. Thanks.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-09-2023 11:51 AM

I think you need the appendpipe command rather than append.  As @skramp said, however, the subsearch is rubbish so either command will fail.

...
| appendpipe [ eval Success_percent = Success/(Success+Sent +Failed),
    Sent_Percent= Sent/(Success+Sent +Failed), 
    Failed_percent= Failed/(Success+Sent +Failed) ]
...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

skramp
SplunkTrust
SplunkTrust
‎03-09-2023 10:28 AM

Your syntax is invalid. By an append command you start a complete ausbrächte which could start with | search index=abcd … . And then an eval could follow but then you don’t need a stats in front of it.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...