in source X, I have fields A and B. I want to find the average ratio of two fields per hour. Something like:
source=X * | stats avg(eval(A/B)) by date_hour
...which obviously doesn't work. It says I need to rename something or rather...
Have you tried it like this:
source=X * | eval ratio=A/B | stats avg(ratio) by date_hour
View solution in original post
I feel like I do this so often. Yes I did try that, but you reminded me I needed to capitalize the fields. I'm positive splunk is case-sensitive.