Splunk Search

Adding two field values

Explorer

I have been unable to add two field values and use the new value of a new column

I'm trying to take one field, multiply it by .60 then add that to another field that has been multiplied by .40. This is how I thought it would be created:

eval NewValue=(FirstValue*.60)+(SecondValue*.40)

I've verified that: | stats values(FirstValue) | and | stats values(SecondValue) | print out expected results

I've also verified that I am able to do |eval NewValue1=(FirstValue*.60) | and | eval NewValue2=(SecondValue*.60) | both yielding results. However, when I try: | eval NewValue=(FirstValue+SecondValue) I get nothing.

Any ideas/thoughts?

Tags (4)

Esteemed Legend

Try this:

... | rex field=FirstValue mode=sed "s/^\s*// s/\s*$//"
| rex field=SecondValue mode=sed "s/^\s*// s/\s*$//"
| eval NewValue = (tonumber(FirstValue) * 0.60) + (tonumber(SecondValue) * 0.40)
0 Karma

Contributor
| eval NewValue = FirstValue*.60
| eval NewValue = SecondValue*.40
| chart count by NewValue
| eventstats sum(count) as total

Hope this helps, please comment if you have any questions.Thanks!

0 Karma

Path Finder

I know it has been some time since you posted this, but were you able to find a solution? Or does anyone else know an answer to this? I am facing the same problem.

0 Karma

Path Finder

How did you verify the result of eval NewValue1=(FirstValue*.60)'s result? As eval doesn't printing out the result. then how can you say that you got the right result?

0 Karma

Explorer

This is part of a much larger query. When I use table, it switches the order of the columns and displays nothing but the column not related to this part of the query. Any other thoughts/ideas?

0 Karma

SplunkTrust
SplunkTrust

Understood. The swap to table in lieu of stats was to enable testing your search in smaller chunks and see if the problem was related to stats or not.

0 Karma

SplunkTrust
SplunkTrust

It doesn't make sense why this would not work. It could be a misspelling or a CamelCaseProblem. I did a simple comparison search on my Splunk test instance:

index=_internal source="*metrics.log" per_source_thruput 
| eval foo=exact(kb*.60)
| eval foo2=exact(kb * .5) 
| eval foo3=foo+foo2 
| eval foo4=exact(kb*.60)+exact(kb*.50) 
| eval error=abs(foo4-foo3) 
| table kb,foo,foo2,foo3,foo4,error

This computes the value of (kb * .6) + (kb * .5) both stepwise and as a single expression, and compares the results. There was occasionally rounding error in the least significant digit, which should be expected with floating point.

Note, however, the use of exact() to make sure the various subexpressions were processed with floating point (instead of integer) maths.

0 Karma

SplunkTrust
SplunkTrust

Actually, I don't see anything obvious. Unfortunately, the answers site is somewhat messing up your comments (and your question) by taking the * and treating it like the beginning of italics markup. 😞 But, a question - could stats be messing this up somehow? Try this instead:

eval IE_Average=(IE_Response * .60) 
| eval FF_Average=(FF_Response * .40) 
| eval Averages=(IE_Average)+(FF_Average) 
| table IE_Response,FF_Response,IE_Average,FF_Average,Averages
0 Karma

Explorer

Maybe a 2nd eye will help me see it. Here is that part:

eval IE_Average=(IE_Response*.60) | eval FF_Average=(FF_Response*.40) | eval Averages=(IE_Average)+(FF_Average) | stats values(IE_Response) values(FF_Response) values(IE_Average) values(FF_Average) values(Averages) by test_name

values(FF_Average) displays column fine
values(IE_Average) displays column fine

But values(Averages) displays nothing....

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!