Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval for new variable not working as expected?

dunick_
Engager
‎10-12-2022 02:08 AM
Hello community,
I am new here and I have a simple question on my chart which is not working as expected.
Currently I have the following chart which brings me the dusk usage in KBytes. It works perfectly:
sourcetype=app:my_app AND mount_usage_kb
| timechart max(mount_usage_kb) as "Mount size in KB"
 
I tried to eval a new variable to have the values in MBytes, but it does not work, the chart is empty and values not shown (even on the table):
sourcetype=app:my_app AND mount_usage_kb
| eval mount_usage_mb=(mount_usage_kb/1024)
| timechart max(mount_usage_mb) as "Used storage MB"
 
Any clue on what I am doing wrong?
 
Thanks a lot
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-12-2022 02:38 AM

There are several possible causes depending on your data.

You might have your mount_usage_kb field extracted as multivalued field. In such case max() would give you a maximum value, but simple arithmetic evaluation would not work on it directly (you'd have to map a function over it).

You might have your field extracted as text - that way arithmetic wouldn't work and max() would do a alphabetically sorted max instead of arithmetic max. (but in this case I think timechart wouldn't work properly but then again it might - typecasting sometimes works a bit strangely in splunk)

Anyway, if something is not working properly, trim your search to the point which does work OK and find which command does not work.

View solution in original post

Reply
Solved! Jump to solution

dunick_
Engager
‎10-12-2022 03:03 AM

Hello @PickleRick, thank you for your answer and support.

I believe that the issue was really related to my extraction. I extracted the same field with same regex again but gave the field another name (mount_usage_kb_extracted). Then it worked as expected...

sourcetype=app:my_app AND mount_usage_kb
| eval mount_usage_mb=(mount_usage_kb_extracted/1024)
| timechart max(mount_usage_mb) as "Used storage MB"
0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-12-2022 02:38 AM

There are several possible causes depending on your data.

You might have your mount_usage_kb field extracted as multivalued field. In such case max() would give you a maximum value, but simple arithmetic evaluation would not work on it directly (you'd have to map a function over it).

You might have your field extracted as text - that way arithmetic wouldn't work and max() would do a alphabetically sorted max instead of arithmetic max. (but in this case I think timechart wouldn't work properly but then again it might - typecasting sometimes works a bit strangely in splunk)

Anyway, if something is not working properly, trim your search to the point which does work OK and find which command does not work.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...