Splunk Search

Dividing Field by a Number in stats

New Member

Hi,

How do I divide a field by a number.

I want to divide Att.Duration by 100 and use the new field in the stats section as an average

i tried this:
eval YearDuration=(Att.Duration/100) | stats avg(YearDuration) by Event.SubCT

and this:
stats avg(Att.Duration) as "Avg. Duration (min)" eval(avg(Att.Duration)/100) as YearDuration by Event.SubCT

When I'm not getting an error I get blank column..

Thanks!

Tags (2)
0 Karma

Legend

I think the problem is that Att.Duration is not a valid field name. Field names should contain letters, numbers and underscores only. The name must start with a letter.

I have noticed that Spunk will allow invalid field names in some places, but not in most commands.

0 Karma

Legend

Yes, that is what I mean. It may be a valid JSON field, but it is not a valid Splunk field name. Some commands (like stats) are not picky. The eval command will not accept an invalid field name, because "." is a valid operator to eval.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...

for more info

0 Karma

New Member

Thanks, but this is a valid field (this is the JSON reference for a field) the field Att.Duration will return values in the stats clause, but when trying (with Att.Duration or any other field) to use it in evel I'm not getting any value.

thanks!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!