Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Eval for new variable not working as expected?

dunick_
Engager
‎10-12-2022 02:08 AM
Hello community,
I am new here and I have a simple question on my chart which is not working as expected.
Currently I have the following chart which brings me the dusk usage in KBytes. It works perfectly:
sourcetype=app:my_app AND mount_usage_kb
| timechart max(mount_usage_kb) as "Mount size in KB"
 
I tried to eval a new variable to have the values in MBytes, but it does not work, the chart is empty and values not shown (even on the table):
sourcetype=app:my_app AND mount_usage_kb
| eval mount_usage_mb=(mount_usage_kb/1024)
| timechart max(mount_usage_mb) as "Used storage MB"
 
Any clue on what I am doing wrong?
 
Thanks a lot
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-12-2022 02:38 AM

There are several possible causes depending on your data.

You might have your mount_usage_kb field extracted as multivalued field. In such case max() would give you a maximum value, but simple arithmetic evaluation would not work on it directly (you'd have to map a function over it).

You might have your field extracted as text - that way arithmetic wouldn't work and max() would do a alphabetically sorted max instead of arithmetic max. (but in this case I think timechart wouldn't work properly but then again it might - typecasting sometimes works a bit strangely in splunk)

Anyway, if something is not working properly, trim your search to the point which does work OK and find which command does not work.

View solution in original post

Reply
Solved! Jump to solution

dunick_
Engager
‎10-12-2022 03:03 AM

Hello @PickleRick, thank you for your answer and support.

I believe that the issue was really related to my extraction. I extracted the same field with same regex again but gave the field another name (mount_usage_kb_extracted). Then it worked as expected...

sourcetype=app:my_app AND mount_usage_kb
| eval mount_usage_mb=(mount_usage_kb_extracted/1024)
| timechart max(mount_usage_mb) as "Used storage MB"
0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-12-2022 02:38 AM

There are several possible causes depending on your data.

You might have your mount_usage_kb field extracted as multivalued field. In such case max() would give you a maximum value, but simple arithmetic evaluation would not work on it directly (you'd have to map a function over it).

You might have your field extracted as text - that way arithmetic wouldn't work and max() would do a alphabetically sorted max instead of arithmetic max. (but in this case I think timechart wouldn't work properly but then again it might - typecasting sometimes works a bit strangely in splunk)

Anyway, if something is not working properly, trim your search to the point which does work OK and find which command does not work.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...