Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Failed eval command from sub search numerical results- Any suggestions?

Seawheels51
Path Finder
‎06-20-2022 03:05 PM

Hello gurus

I'm trying to return a percentage from the results of sub searches. The value User_count and Device_count are numerical but the eval returns nothing. If I convert either of the values to a number and leave the other named the eval works. Could you offer a suggestion to make this search work please? Thank you!

index="test" earliest=-2d@d latest=-1d@d
| dedup User
| stats count(User) as User_count
| append [search index="test" | stats dc(SerialNumber) as Device_count]
| eval perc=round(User_count/Device_count*100, 2)."%"
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2022 11:55 PM

Hi

if you are using the same time period for both user and devices you can try this

index="test" earliest=-2d@d latest=-1d@d
| stats dc(User) as User_count dc(SerialNumber) as Device_count
| eval perc=round(User_count/Device_count*100, 2)."%"

In SPL you should almost always replace join, append* with stats. There are lot of presentation what to do it e.g.  https://conf.splunk.com/watch/conf-online.html?search=%22Nick%20Mealy%22#/ are links to Nick's "yearly" conf presentations.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

Seawheels51
Path Finder
‎06-22-2022 11:36 AM

Thank you, that achieved the desired results! I appreciate the prompt and accurate response, well done!

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2022 11:55 PM

Hi

if you are using the same time period for both user and devices you can try this

index="test" earliest=-2d@d latest=-1d@d
| stats dc(User) as User_count dc(SerialNumber) as Device_count
| eval perc=round(User_count/Device_count*100, 2)."%"

In SPL you should almost always replace join, append* with stats. There are lot of presentation what to do it e.g.  https://conf.splunk.com/watch/conf-online.html?search=%22Nick%20Mealy%22#/ are links to Nick's "yearly" conf presentations.

r. Ismo

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...