Re: Adding two field values

mbolostk · ‎10-11-2011

I have been unable to add two field values and use the new value of a new column

I'm trying to take one field, multiply it by .60 then add that to another field that has been multiplied by .40. This is how I thought it would be created:

eval NewValue=(FirstValue*.60)+(SecondValue*.40)

I've verified that: | stats values(FirstValue) | and | stats values(SecondValue) | print out expected results

Any ideas/thoughts?

woodcock · ‎10-15-2019

Try this:

... | rex field=FirstValue mode=sed "s/^\s*// s/\s*$//"
| rex field=SecondValue mode=sed "s/^\s*// s/\s*$//"
| eval NewValue = (tonumber(FirstValue) * 0.60) + (tonumber(SecondValue) * 0.40)

sandeepmakkena · ‎10-15-2019

| eval NewValue = FirstValue*.60
| eval NewValue = SecondValue*.40
| chart count by NewValue
| eventstats sum(count) as total

Hope this helps, please comment if you have any questions.Thanks!

SilviaGebel · ‎04-16-2015

I know it has been some time since you posted this, but were you able to find a solution? Or does anyone else know an answer to this? I am facing the same problem.

neeldesai1992 · ‎10-11-2017

How did you verify the result of eval NewValue1=(FirstValue*.60)'s result? As eval doesn't printing out the result. then how can you say that you got the right result?

mbolostk · ‎10-13-2011

This is part of a much larger query. When I use table, it switches the order of the columns and displays nothing but the column not related to this part of the query. Any other thoughts/ideas?

dwaddle · ‎10-13-2011

Understood. The swap to table in lieu of stats was to enable testing your search in smaller chunks and see if the problem was related to stats or not.

dwaddle · ‎10-11-2011

It doesn't make sense why this would not work. It could be a misspelling or a CamelCaseProblem. I did a simple comparison search on my Splunk test instance:

index=_internal source="*metrics.log" per_source_thruput 
| eval foo=exact(kb*.60)
| eval foo2=exact(kb * .5) 
| eval foo3=foo+foo2 
| eval foo4=exact(kb*.60)+exact(kb*.50) 
| eval error=abs(foo4-foo3) 
| table kb,foo,foo2,foo3,foo4,error

This computes the value of (kb * .6) + (kb * .5) both stepwise and as a single expression, and compares the results. There was occasionally rounding error in the least significant digit, which should be expected with floating point.

Note, however, the use of exact() to make sure the various subexpressions were processed with floating point (instead of integer) maths.

dwaddle · ‎10-12-2011

Actually, I don't see anything obvious. Unfortunately, the answers site is somewhat messing up your comments (and your question) by taking the * and treating it like the beginning of italics markup. 😞 But, a question - could stats be messing this up somehow? Try this instead:

eval IE_Average=(IE_Response * .60) 
| eval FF_Average=(FF_Response * .40) 
| eval Averages=(IE_Average)+(FF_Average) 
| table IE_Response,FF_Response,IE_Average,FF_Average,Averages

mbolostk · ‎10-12-2011

Maybe a 2nd eye will help me see it. Here is that part:

eval IE_Average=(IE_Response*.60) | eval FF_Average=(FF_Response*.40) | eval Averages=(IE_Average)+(FF_Average) | stats values(IE_Response) values(FF_Response) values(IE_Average) values(FF_Average) values(Averages) by test_name

values(FF_Average) displays column fine
values(IE_Average) displays column fine

But values(Averages) displays nothing....

Adding two field values

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases