Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help with eval division calculation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with eval division calculation
Hey all,
I need an eval expression for the below output:
_time minutes bminutes
2019-06-01 1349511.54 105472800
2019-06-08 1498691.33 105472800
2019-06-15 1447368.29 105472800
2019-06-22 1379824.64 105472800
It is by every week so I need an eval expression from which I can divide every row of minutes by bminutes by time.
Expected results:
_time minutes bminutes result
2019-06-01 1349511.54 105472800 1.279
2019-06-08 1498691.33 105472800 1.420
2019-06-15 1447368.29 105472800 1.372
2019-06-22 1379824.64 105472800 1.308
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You just spelled your field wrong (using m instead of M in the bizMinutes field); see the last line in this working run-anywhere example:
| makeresults
| eval raw="time=2019-06-01,minutes=1349511.54,bizMinutes=105472800 time=2019-06-08,minutes=1498691.33,bizMinutes=105472800 time=2019-06-15,minutes=1447368.29,bizMinutes=105472800 time=2019-06-22,minutes=1379824.64,bizMinutes=105472800"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| eval _time = strptime(time, "%Y-%m-%d")
| fields - time
| eval result = round(100 * minutes / bizMinutes)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval result=round(100*minutes/bizMinutes,3)
this will give you 3 trailing digits after decimal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm afraid I couldn't understand properly what your exact requirement is 🙂
However, this gives your desired output with a slight change
| makeresults | fields - _time | eval data="2019-06-01 1349511.54 105472800|2019-06-08 1498691.33 105472800|2019-06-15 1447368.29 105472800|2019-06-22 1379824.64 105472800" | makemv delim="|" data | mvexpand data | rex field=data "^(?<_time>[^\s]*)\s(?<minutes>[^\s]*)\s(?<bizMinutes>[^\s]*)$" | table _time, minutes, bizMinutes | eval result=round(100*minutes/bizMinutes,3)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
