Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval for new variable not working as expected?

dunick_
Engager
‎10-12-2022 02:08 AM
Hello community,
I am new here and I have a simple question on my chart which is not working as expected.
Currently I have the following chart which brings me the dusk usage in KBytes. It works perfectly:
sourcetype=app:my_app AND mount_usage_kb
| timechart max(mount_usage_kb) as "Mount size in KB"
 
I tried to eval a new variable to have the values in MBytes, but it does not work, the chart is empty and values not shown (even on the table):
sourcetype=app:my_app AND mount_usage_kb
| eval mount_usage_mb=(mount_usage_kb/1024)
| timechart max(mount_usage_mb) as "Used storage MB"
 
Any clue on what I am doing wrong?
 
Thanks a lot
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-12-2022 02:38 AM

There are several possible causes depending on your data.

You might have your mount_usage_kb field extracted as multivalued field. In such case max() would give you a maximum value, but simple arithmetic evaluation would not work on it directly (you'd have to map a function over it).

You might have your field extracted as text - that way arithmetic wouldn't work and max() would do a alphabetically sorted max instead of arithmetic max. (but in this case I think timechart wouldn't work properly but then again it might - typecasting sometimes works a bit strangely in splunk)

Anyway, if something is not working properly, trim your search to the point which does work OK and find which command does not work.

View solution in original post

Reply
Solved! Jump to solution

dunick_
Engager
‎10-12-2022 03:03 AM

Hello @PickleRick, thank you for your answer and support.

I believe that the issue was really related to my extraction. I extracted the same field with same regex again but gave the field another name (mount_usage_kb_extracted). Then it worked as expected...

sourcetype=app:my_app AND mount_usage_kb
| eval mount_usage_mb=(mount_usage_kb_extracted/1024)
| timechart max(mount_usage_mb) as "Used storage MB"
0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-12-2022 02:38 AM

There are several possible causes depending on your data.

You might have your mount_usage_kb field extracted as multivalued field. In such case max() would give you a maximum value, but simple arithmetic evaluation would not work on it directly (you'd have to map a function over it).

You might have your field extracted as text - that way arithmetic wouldn't work and max() would do a alphabetically sorted max instead of arithmetic max. (but in this case I think timechart wouldn't work properly but then again it might - typecasting sometimes works a bit strangely in splunk)

Anyway, if something is not working properly, trim your search to the point which does work OK and find which command does not work.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top