Splunk Search

Help with eval division calculation

splunkuseradmin
Path Finder

Hey all,

I need an eval expression for the below output:

_time minutes bminutes
2019-06-01 1349511.54 105472800
2019-06-08 1498691.33 105472800
2019-06-15 1447368.29 105472800
2019-06-22 1379824.64 105472800

It is by every week so I need an eval expression from which I can divide every row of minutes by bminutes by time.

Expected results:

_time minutes bminutes result
2019-06-01 1349511.54 105472800 1.279
2019-06-08 1498691.33 105472800 1.420
2019-06-15 1447368.29 105472800 1.372
2019-06-22 1379824.64 105472800 1.308

Tags (1)
0 Karma

woodcock
Esteemed Legend

You just spelled your field wrong (using m instead of M in the bizMinutes field); see the last line in this working run-anywhere example:

| makeresults 
| eval raw="time=2019-06-01,minutes=1349511.54,bizMinutes=105472800 time=2019-06-08,minutes=1498691.33,bizMinutes=105472800 time=2019-06-15,minutes=1447368.29,bizMinutes=105472800 time=2019-06-22,minutes=1379824.64,bizMinutes=105472800" 
| makemv raw 
| mvexpand raw 
| rename raw AS _raw 
| kv 
| eval _time = strptime(time, "%Y-%m-%d") 
| fields - time 
| eval result = round(100 * minutes / bizMinutes)
0 Karma

ayush1906
Path Finder

| eval result=round(100*minutes/bizMinutes,3)

this will give you 3 trailing digits after decimal

0 Karma

nabeel652
Builder

I'm afraid I couldn't understand properly what your exact requirement is 🙂
However, this gives your desired output with a slight change

| makeresults | fields - _time | eval data="2019-06-01 1349511.54 105472800|2019-06-08 1498691.33 105472800|2019-06-15 1447368.29 105472800|2019-06-22 1379824.64 105472800" | makemv delim="|" data | mvexpand data | rex field=data "^(?<_time>[^\s]*)\s(?<minutes>[^\s]*)\s(?<bizMinutes>[^\s]*)$" | table _time, minutes, bizMinutes | eval result=round(100*minutes/bizMinutes,3)
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...