Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I divide the sum based on a criterion using the eval command?

xelian
New Member
‎10-06-2018 01:51 AM

Hi I have the following search:

[my search]
|dedup @timestamp 
|stats sum(json_message.amount) as "total" by json_message.currencyCode 
|eval devide = if(like(json_message.currencyCode,"%IDR%") , "1748000" , "100")
|eval final=total/devide 
|table json_message.currencyCode final
|rename final as "Total in real amount",  json_message.currencyCode as "Currency"

In the result table, I want the total amount to be divided by 1748000 for IDR and by 100 for other currencies.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎10-06-2018 11:58 AM

Hi @xelian,
Can you please try below query:

[my search]
|dedup @timestamp 
| rename json_message.currencyCode as currencyCode,  json_message.amount as amount
|stats sum(amount) as "total" by currencyCode 
|eval devide = if(like(currencyCode,"%IDR%") , 1748000 , 100)
|eval final=total/devide 
|table currencyCode final
|rename final as "Total in real amount",  currencyCode as "Currency"

Hope this helps!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎10-06-2018 11:58 AM

Hi @xelian,
Can you please try below query:

[my search]
|dedup @timestamp 
| rename json_message.currencyCode as currencyCode,  json_message.amount as amount
|stats sum(amount) as "total" by currencyCode 
|eval devide = if(like(currencyCode,"%IDR%") , 1748000 , 100)
|eval final=total/devide 
|table currencyCode final
|rename final as "Total in real amount",  currencyCode as "Currency"

Hope this helps!!

0 Karma
Reply
Solved! Jump to solution

xelian
New Member
‎10-06-2018 12:50 PM

WoW man, rename must be first. OOOOO I read half of the SPlunk doc for if/case/string/toNumber tried 100 different scnearios. Thankssssss

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎10-06-2018 01:31 PM

Yes, you caught that correctly, always consider renaming the field name if field name cannot be a variable name for your script, for being on safe side.!!!!!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-06-2018 06:16 AM

@xelian ,

Your search should work. Are you not getting the result? Suggest to remove the quotes around the numbers in the condition though it should not affect your result.

This is a run anywhere example

| makeresults |eval currencies="IDR,EUR,USD,AUD"|makemv currencies delim=","| mvexpand currencies|eval total=100
|eval divider=if(currencies=="IDR",100,10)|eval final=total/divider|fields - divider
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

xelian
New Member
‎10-06-2018 10:40 AM

I remove quotes but in the result always 100 is devide. I think the problem is somewhere in the if, because it is a String. I do not know I am very upset. I tried 100 different scenarios and always 100.

0 Karma
Reply
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...