Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do divide greater than and less than in splunk...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted
I'm trying to divide my query into two parts, D>8000 as X and D<=8000 as Y, so i put it .... my search | eval count(if(D<=8000)) AS Y, count(if(D>8000)) AS X | transpose.................... but its not working. How do I divide it?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

sagar1905

New Member

12-16-2017
10:58 AM

1 Solution

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How do divide greater than and less than in splunk?

richgalloway

SplunkTrust

12-16-2017
03:18 PM

What does "it's not working" mean? What do you get for X and Y?

---

If this reply helps you, an upvote would be appreciated.

If this reply helps you, an upvote would be appreciated.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How do divide greater than and less than in splunk?

mayurr98

SplunkTrust

12-16-2017
04:54 PM

Hey @sagar1905

Try this

```
.... my search | eval divide=case(D<=8000,”Y”,D>8000,”X”) | stats count by divide
```

Let me know if this helps!

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How do divide greater than and less than in splunk?

sagar1905

New Member

12-17-2017
03:40 PM

I got the following error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '”Y”,D>8000,”X”)'.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How do divide greater than and less than in splunk?

mayurr98

SplunkTrust

12-17-2017
08:46 PM

Try this

.... my search | eval divide=if(D<=8000,”Y”,”X”) | stats count by divide

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How do divide greater than and less than in splunk?

cmerriman

Super Champion

12-16-2017
08:38 PM

Do you want these as separate fields or as one field with two values?

To create one field with two values:

```
...| eval two_parts=if(D<=8000,”Y”,”X”)...
```

To get separate fields:

```
...|eval Y=if(D<=8000,D,null())|eval X=if(D>8000,D,null())...
```

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

micahkemp

Champion

12-16-2017
08:51 PM

The other answers look like they will accomplish what you want, but in terms of the syntax you started with I wonder if you're looking for this:

```
stats count(eval(D<=8000)) AS Y, count(eval(D>8000)) AS X
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How do divide greater than and less than in splunk?

sagar1905

New Member

12-17-2017
03:43 PM

Thanks micahkemp, this works. So I should have used eval instead of if.