Splunk Search

Cannot sum two numbers

veromihaiu
Path Finder

I have the following problem: I have a variable "number_of_past_events" which comes from a "| inputlookup file.csv" and another variable from a sub search " nr_events". When I try to create a new variable with the sum of these two variables like this: "|eval new_number_of_events=number_of_past_events+nr_events " this new number does not have a value. I tried to use table command like this "| table number_of_past_events, nr_events,new_number_of_events" and the output shows the first two correctly but the new_number_of_events does not have a value. How can I resolve this problem?

Tags (1)
0 Karma
1 Solution

veromihaiu
Path Finder

It found the solution...I used instead of append I used join for the subsearch...and it worked!

View solution in original post

0 Karma

veromihaiu
Path Finder

It found the solution...I used instead of append I used join for the subsearch...and it worked!

0 Karma

ololdach
Builder

Hi, so the reason that the numbers were not added wasn't the wrong format like we thought, it was that the two variables were not present in all events and the append was an attempt to add the missing values to your events. In that case it makes perfect sense to use join instead as it adds values to existing events rather than additional events at the bottom of the list.

ololdach
Builder

I looked at your code another time. The first append loads your historic value and outputs the nr_events_history field? If so, you could use a standard lookup command instead of the join. It's much faster. The second append/join adds the total number of events that match svchost_command>20? You could do the same with eventstats only difference being: you would not run the same query twice. As a last suggestion for optimisation: remove the if from the eval. The where makes sure that all events are "Detected" anyway. So, eval message="Detected " delivers the same result.

veromihaiu
Path Finder

Thank you for your suggestions! The response for your first question is yes, the first appends the historic value. The second adds the total number of events that matches svchost_command>20,yes. I will make the changes definitely! Thank you very much. 🙂

0 Karma

veromihaiu
Path Finder

Yes, you are right! 🙂

0 Karma

gfreitas
Builder

It might be beneficial to get a screenshot of your fields from the interesting fields screen, but it seems one (or both) of the field(s) are not number. You could use

| convert num(wrongformatfield)

OR

| eval tonumber(wrongformatfield)

More info here: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/convert and here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/convert

0 Karma

veromihaiu
Path Finder
* LogName="Microsoft-Windows-PowerShell/Operational" earliest=-1000m latest=now
| search EventCode="4103" 
| chart 
count(eval(like(_raw,"%C:\Windows\system32\svchost.exe%"))) AS svchost_command  over _time span=20s 
| where (svchost_command>20) 
| eval message=if(svchost_command>20 ,"Detected","NOT DETECTED")
| append 
    [| inputlookup AvL_hist_test.csv ]
| append
    [search * LogName="Microsoft-Windows-PowerShell/Operational" earliest=-1000m latest=now
    | search EventCode="4103"
    | chart 
    count(eval(like(_raw,"%C:\Windows\system32\svchost.exe%"))) AS svchost_command  over _time span=20s
    | where (svchost_command>20) 
    | stats count(eval(svchost_command>20)) AS nr_events ]
| eval new_number_events=nr_events_history+nr_events
| table _time,message,nr_events_history,nr_events,new_number_events
0 Karma

veromihaiu
Path Finder

This is my entire code. The output shows the nr_events_history and nr_events as numbers but the new_number_events does not have a value

0 Karma

gfreitas
Builder

I don't see any fields nr_events_history before you used it on the last eval (on the penultimate line). That might be the case, no?

0 Karma

veromihaiu
Path Finder

nr_events_history comes from the| inputlookup AvL_hist_test.csv. I found the problem: I had to use join instead of append for the subsearch.

0 Karma

wmyersas
Builder

try adding a | fillnull to your outer and inner searches

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...