Eval math expression over null values

splunk_zen · ‎04-11-2013

How can I get a result out of an eval expression (without falsely decreasing the result computing its components as 0) if I there is a day and a half which I have no data?

My goal is to timechart a score with that gap in it, not represent the lack of data as 0.

If I replace the

TotalEvents,0

by

TotalEvents,""

in the eval expressions,
The CpuScore eval just breaks and is always null acroos All Time, even on the other days which I have data.

| eval ACpuApdex=if(Platform="A",(TotalOptimumCpu + TotalAcceptableCpu/2) / TotalEvents,0)
| eval BCpuApdex=if(Platform="B",(TotalOptimumCpu + TotalAcceptableCpu/2) / TotalEvents,0)
...
| eval BCpuApdex=if(Platform="K",(TotalOptimumCpu + TotalAcceptableCpu/2) / TotalEvents,0)
| eval CpuScore=round(
100*(
0.16*(0.7*ACpuApdex + B*FeCpuApdex)
+ 0.16*CCpuApdex 
...
)
)
| timechart span=1d sum(CpuScore) as CpuScore

lpolo · ‎04-11-2013

Have tried:
| timechart cont=false span=1d sum(CpuScore) as CpuScore

splunk_zen · ‎04-12-2013

Thanks Ipolo.
The issue is that the result of

| eval CpuScore=...

is either 0 in that given day(if I leave the TotalEvents,0
in the previous eval expressions)

or null across All Time (if I replace it by TotalEvents,"")

Eval math expression over null values

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?

Eval math expression over null values

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps