Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval for new variable not working as expected?

dunick_
Engager
‎10-12-2022 02:08 AM
Hello community,
I am new here and I have a simple question on my chart which is not working as expected.
Currently I have the following chart which brings me the dusk usage in KBytes. It works perfectly:
sourcetype=app:my_app AND mount_usage_kb
| timechart max(mount_usage_kb) as "Mount size in KB"
 
I tried to eval a new variable to have the values in MBytes, but it does not work, the chart is empty and values not shown (even on the table):
sourcetype=app:my_app AND mount_usage_kb
| eval mount_usage_mb=(mount_usage_kb/1024)
| timechart max(mount_usage_mb) as "Used storage MB"
 
Any clue on what I am doing wrong?
 
Thanks a lot
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-12-2022 02:38 AM

There are several possible causes depending on your data.

You might have your mount_usage_kb field extracted as multivalued field. In such case max() would give you a maximum value, but simple arithmetic evaluation would not work on it directly (you'd have to map a function over it).

You might have your field extracted as text - that way arithmetic wouldn't work and max() would do a alphabetically sorted max instead of arithmetic max. (but in this case I think timechart wouldn't work properly but then again it might - typecasting sometimes works a bit strangely in splunk)

Anyway, if something is not working properly, trim your search to the point which does work OK and find which command does not work.

View solution in original post

Reply
Solved! Jump to solution

dunick_
Engager
‎10-12-2022 03:03 AM

Hello @PickleRick, thank you for your answer and support.

I believe that the issue was really related to my extraction. I extracted the same field with same regex again but gave the field another name (mount_usage_kb_extracted). Then it worked as expected...

sourcetype=app:my_app AND mount_usage_kb
| eval mount_usage_mb=(mount_usage_kb_extracted/1024)
| timechart max(mount_usage_mb) as "Used storage MB"
0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-12-2022 02:38 AM

There are several possible causes depending on your data.

You might have your mount_usage_kb field extracted as multivalued field. In such case max() would give you a maximum value, but simple arithmetic evaluation would not work on it directly (you'd have to map a function over it).

You might have your field extracted as text - that way arithmetic wouldn't work and max() would do a alphabetically sorted max instead of arithmetic max. (but in this case I think timechart wouldn't work properly but then again it might - typecasting sometimes works a bit strangely in splunk)

Anyway, if something is not working properly, trim your search to the point which does work OK and find which command does not work.

Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...