Splunk Search

Average wrong box estimate- Why is my attempt wrong?

Path Finder

I have total 17 orders.  Box Estimates is wrong 6 out of 17 orders. What is the average wrong box estimate in total?

This is my attempt who is wrong:

``````| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes
| eventstats count AS total
| eval box_missing=if(actualBoxes != estimatedBoxes, "YES", "NO")
| eval average= (actualBoxes - estimatedBoxes) / total * 100
| table actualBoxes estimatedBoxes total box_missing average``````

Labels (2)

• stats

Tags (1)
1 Solution
SplunkTrust
``````| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes
| eval box_missing=if(actualBoxes != estimatedBoxes, 1, 0)
| stats count as total sum(box_missing) as missing
| eval percent_wrong = 100*missing/total``````
SplunkTrust

What events are you using?

How is it wrong?

What were you expecting?

Path Finder

Sorry If question is not clear.

These are the data I get from my event 👇🏾👇🏾

``````| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes ``````

Below splunk table image.  I have estimated order was right 11 time and 6 time was wrong. I'm curious to know the percentage of incorrect box estimations overall.?

SplunkTrust
``````| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes
| eval box_missing=if(actualBoxes != estimatedBoxes, 1, 0)
| stats count as total sum(box_missing) as missing
| eval percent_wrong = 100*missing/total``````
Path Finder

SplunkTrust

Try with eventstats so you can see which events have been included

``````| spath path=data{}.actual_totes{}.finalBoxAmount output=actualBoxes
| spath path=data{}.estimated_totes{}.box  output=estimatedBoxes
| eval box_missing=if(actualBoxes != estimatedBoxes, 1, 0)
| eventstats count as total sum(box_missing) as missing
| eval percent_wrong = 100*missing/total``````
Path Finder

I started learning splunk yesterday. don't know the difference between spats and evenstats. 😄

SplunkTrust

Essentially, event stats adds the calculated values as new fields to all the events without dropping any events, whereas stats replaces all the events with a single event containing just the calculated or group by fields

Tags (1)
Path Finder

Tags (1)
SplunkTrust

Try including the other fields

``| table actualBoxes estimatedBoxes total box_missing missing percent_wrong``
Path Finder

PS: I just want only TOTAL average of wrong estimate

SplunkTrust

Your actualBoxes and estimatedBoxes have not extracted correctly (or there weren't any values for them in your events)

Path Finder

How come it returns these

Path Finder

PS: Some of the actual values are null

SplunkTrust

You have changed the names of the output fields on the spath so they no longer match the field names used in the eval - you should try and be consistent

Path Finder

I am really sorry for stupid mistake 🙏🏾. Now it shows the averages but why it shows  17 rows  in same result. Cant I make one column and one row

Tags (1)
SplunkTrust

Change the eventstats back to stats (as I explained earlier)

Path Finder

Thank you for stick with me 🙏🏾🙏🏾

Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...