Hi all and thanks in advance,
I am trying to get statistics for a value that is given in milliseconds, so I would need to transform them to seconds and eventually minutes. I tried everything my common sense dictated, but that simple operation seems not to be that trivial.
I do this:
search value_in_ms | eval valueSeconds=value_in_ms/1000 | timechart span=1d perc25(valueSeconds)
that does not work, so tried this:
search value_in_ms | timechart span=1d perc25(eval(value_in_ms/1000 ))
does not work either. Anything I do to value_in_ms generates an empty output...
Regards,
Juan
Hi,
I found the problem it was quite an stupid thing... in the eval, the variable has to go with single quotes, so the following is working:
search time_in_ms | eval newtime=round('time_in_ms'/1000)
while this is failing:
search time_in_ms | eval newtime=round(time_in_ms/1000)
thanks,
Juan
Hi,
I found the problem it was quite an stupid thing... in the eval, the variable has to go with single quotes, so the following is working:
search time_in_ms | eval newtime=round('time_in_ms'/1000)
while this is failing:
search time_in_ms | eval newtime=round(time_in_ms/1000)
thanks,
Juan
try using eval valueSeconds=round((value_in_ms/1000),2)
Hi prachisaxena,
Tried but says "Error in 'eval' command: The arguments to the 'round' function are invalid.". What I suspect is takeing call_in_ms as something different than number, but actually if I inspect the element it says is a number.
Thanks for your reply.
Juan
Hi ,
Can you try to do isnum() or isint() and see if it gives TRUE
Hi,
Ya I did that:
| eval result= if(isint(callDurationMS),"ok","nook") | timechart span=1d count by result
all printed is "nook", same result for isnum.
So is not detected as number but if I don't filter it and use it straight in perc25(callDurationMS)
is treated as a number,or that seems so as it works, and if I inspect "Select Fields" callDurationMS sayst Type:Number, I cannot paste the image.
Rgds,
Juan
Can you send me some sample text .. let me try
Hi,
Do you mean the JSON raw data?, this is a sample:
{
callDurationMS: 30000
callId: c1cefd39d2cc
callStartTime: 2016-02-27T06:01:33.986Z
metricType: CALL
}
My working search is:
metricType="CALL" callDurationMS > 100 |timechart span=1d perc25(callDurationM) as "25th %" perc50(callDurationM) as "50th %" perc75(callDurationM) as "75th %" count(callDurationM)
if I add the eval parameters callDurationMS goes to null, and there is no output.
Rgds
Juan
It seems that you are barking up the right tree, you are correct that this should be a trivial task. For reference, the eval documentation can be found here : http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Eval
As somesoni2 mentioned, this could be related to the format of the 'value_in_ms' field, and so the tonumber function might help.
Please let me know if this helps, and otherwise could you post an example of the results you get?
Hi again muebel,
I did some tests and problem seems to be in the format, I have been searching around and haven't found any other case, that is very weird.
Number passed to JSON is a long, if is not used in the eval statement then can be used to perform operations and indeed it gets correct result when I do stuff like perc25.
If I modify the value with eval, then it always return null. Some examples
eval time = timems ---> time will be null even if timems is not.
eval time = if(timems>1, "ok","notok") --- > that returns an error stating '>' comparin different formats.
eval time=if(timems>"1",'ok","error") ---> statement is always false (in reality is not) so always would return error (timems is set to null)
eval time=tonumber(timems) ---> time is always null.
convert num(timems) ----> timems is always null
Rgds,
Juan
maybe
timechart perc75(time_in_ms/1000)
Hi muebel,
thanks, I tried that also no luck.
I also figure out how to check the event type and it is a number so for some reason any operation doing to it converts it to a null value, I am starting to think that may be a bug.
rgds,
Juan
Hi muebel,
Thanks for your interest I found an example in the doc that is exactly what I want to do. But no luck, actually I tried somesoni2 suggestion and is not working either, my thoughts are that eval for some reasons I don't reach to figure out is changing the format of the variable.
This works fine
search time_in_ms | timechart perc75(time_in_ms)
so I guess time_in_ms is a number variable as I can get the percentile.
If I do the following:
search time_in_ms | eval newtime=time_in_ms | timechart perc75(newtime)
I got nothing and theoretically there would be not difference between both searches.
that's exactly what I have and the result is nothing.
value.clientCallDuration > 0 | eval duration = tonumber(value.clientCallDuration)/1000 |
timechart span=1d perc25(duration) as "25th %" perc50(duration) as "50th %" perc75(duration) as "75th %"
but the follwoing works:
value.clientCallDuration > 0 | timechart span=1d perc25(value.clientCallDuration) as "25th %" perc50(value.clientCallDuration) as "50th %" perc75(value.clientCallDuration) as "75th %"
I am very confused, is there a way to know what format is splunk interpreting clientCallDuration?
Many thanks,
Juan
Check if the value_in_ms is numeric or not. Try to convert to number before using it.
search value_in_ms | eval valueSeconds=tonumber(value_in_ms)/1000 | timechart span=1d perc25(valueSeconds)
Hi somesoni2,
thanks for your reply, I tried that but doesn't work. It seems everything touched by eval goes to null.
For example if I do that:
search value_in_ms | timechart span=1d perc25(value_in_ms)
there is no problem and works fine, I get the graph correctly. But if I do this:
search value_in_ms | eval newvalue=value_in_ms |timechart span=1d perc25(newvalue)
Then got nothing, like if the eval is messing things up....
Rgds,
Juan