I have been unable to add two field values and use the new value of a new column
I'm trying to take one field, multiply it by .60 then add that to another field that has been multiplied by .40. This is how I thought it would be created:
I've verified that:
| stats values(FirstValue) | and
| stats values(SecondValue) | print out expected results
I've also verified that I am able to do
|eval NewValue1=(FirstValue*.60) | and
| eval NewValue2=(SecondValue*.60) | both yielding results. However, when I try:
| eval NewValue=(FirstValue+SecondValue) I get nothing.
... | rex field=FirstValue mode=sed "s/^\s*// s/\s*$//" | rex field=SecondValue mode=sed "s/^\s*// s/\s*$//" | eval NewValue = (tonumber(FirstValue) * 0.60) + (tonumber(SecondValue) * 0.40)
| eval NewValue = FirstValue*.60 | eval NewValue = SecondValue*.40 | chart count by NewValue | eventstats sum(count) as total
Hope this helps, please comment if you have any questions.Thanks!
This is part of a much larger query. When I use table, it switches the order of the columns and displays nothing but the column not related to this part of the query. Any other thoughts/ideas?
It doesn't make sense why this would not work. It could be a misspelling or a CamelCaseProblem. I did a simple comparison search on my Splunk test instance:
index=_internal source="*metrics.log" per_source_thruput | eval foo=exact(kb*.60) | eval foo2=exact(kb * .5) | eval foo3=foo+foo2 | eval foo4=exact(kb*.60)+exact(kb*.50) | eval error=abs(foo4-foo3) | table kb,foo,foo2,foo3,foo4,error
This computes the value of
(kb * .6) + (kb * .5) both stepwise and as a single expression, and compares the results. There was occasionally rounding error in the least significant digit, which should be expected with floating point.
Note, however, the use of
exact() to make sure the various subexpressions were processed with floating point (instead of integer) maths.
Actually, I don't see anything obvious. Unfortunately, the answers site is somewhat messing up your comments (and your question) by taking the
* and treating it like the beginning of italics markup. 😞 But, a question - could stats be messing this up somehow? Try this instead:
eval IE_Average=(IE_Response * .60) | eval FF_Average=(FF_Response * .40) | eval Averages=(IE_Average)+(FF_Average) | table IE_Response,FF_Response,IE_Average,FF_Average,Averages
Maybe a 2nd eye will help me see it. Here is that part:
eval IE_Average=(IE_Response*.60) | eval FF_Average=(FF_Response*.40) | eval Averages=(IE_Average)+(FF_Average) | stats values(IE_Response) values(FF_Response) values(IE_Average) values(FF_Average) values(Averages) by test_name
values(FF_Average) displays column fine
values(IE_Average) displays column fine
But values(Averages) displays nothing....