Splunk Search

Average wrong box estimate- Why is my attempt wrong?

alakdam
Path Finder

I have total 17 orders.  Box Estimates is wrong 6 out of 17 orders. What is the average wrong box estimate in total?

This is my attempt who is wrong:

 

| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes 
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes 
| eventstats count AS total
| eval box_missing=if(actualBoxes != estimatedBoxes, "YES", "NO") 
| eval average= (actualBoxes - estimatedBoxes) / total * 100
| table actualBoxes estimatedBoxes total box_missing average

 

 

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes 
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes 
| eval box_missing=if(actualBoxes != estimatedBoxes, 1, 0) 
| stats count as total sum(box_missing) as missing
| eval percent_wrong = 100*missing/total

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What events are you using?

How is it wrong?

What were you expecting?

0 Karma

alakdam
Path Finder

Sorry If question is not clear. 

These are the data I get from my event 👇🏾👇🏾

| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes 
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes 

Below splunk table image.  I have estimated order was right 11 time and 6 time was wrong. I'm curious to know the percentage of incorrect box estimations overall.?

Screenshot 2022-10-06 at 12.45.01.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes 
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes 
| eval box_missing=if(actualBoxes != estimatedBoxes, 1, 0) 
| stats count as total sum(box_missing) as missing
| eval percent_wrong = 100*missing/total
0 Karma

alakdam
Path Finder

I don't see any answer. 

Screenshot 2022-10-06 at 12.59.17.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try with eventstats so you can see which events have been included

| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes 
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes 
| eval box_missing=if(actualBoxes != estimatedBoxes, 1, 0) 
| eventstats count as total sum(box_missing) as missing
| eval percent_wrong = 100*missing/total

alakdam
Path Finder

I started learning splunk yesterday. don't know the difference between spats and evenstats. 😄 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Essentially, event stats adds the calculated values as new fields to all the events without dropping any events, whereas stats replaces all the events with a single event containing just the calculated or group by fields

Tags (1)

alakdam
Path Finder

Screenshot 2022-10-06 at 13.07.57.png

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try including the other fields

| table actualBoxes estimatedBoxes total box_missing missing percent_wrong

alakdam
Path Finder

PS: I just want only TOTAL average of wrong estimate 

Screenshot 2022-10-06 at 13.13.48.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your actualBoxes and estimatedBoxes have not extracted correctly (or there weren't any values for them in your events)

alakdam
Path Finder

How come it returns these Screenshot 2022-10-06 at 13.23.35.png

0 Karma

alakdam
Path Finder

PS: Some of the actual values are null

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You have changed the names of the output fields on the spath so they no longer match the field names used in the eval - you should try and be consistent

alakdam
Path Finder

I am really sorry for stupid mistake 🙏🏾. Now it shows the averages but why it shows  17 rows  in same result. Cant I make one column and one row

Screenshot 2022-10-06 at 13.38.11.png

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Change the eventstats back to stats (as I explained earlier)

alakdam
Path Finder

Thank you for stick with me 🙏🏾🙏🏾

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...