Hi all and thanks in advance,
I am trying to get statistics for a value that is given in milliseconds, so I would need to transform them to seconds and eventually minutes. I tried everything my common sense dictated, but that simple operation seems not to be that trivial.
I do this:
search value_in_ms | eval valueSeconds=value_in_ms/1000 | timechart span=1d perc25(valueSeconds)
that does not work, so tried this:
search value_in_ms | timechart span=1d perc25(eval(value_in_ms/1000 ))
does not work either. Anything I do to valueinms generates an empty output...
Check if the valueinms is numeric or not. Try to convert to number before using it.
search valueinms | eval valueSeconds=tonumber(valueinms)/1000 | timechart span=1d perc25(valueSeconds)
thanks for your reply, I tried that but doesn't work. It seems everything touched by eval goes to null.
For example if I do that:
search valueinms | timechart span=1d perc25(valueinms)
there is no problem and works fine, I get the graph correctly. But if I do this:
search valueinms | eval newvalue=valueinms |timechart span=1d perc25(newvalue)
Then got nothing, like if the eval is messing things up....
It seems that you are barking up the right tree, you are correct that this should be a trivial task. For reference, the eval documentation can be found here : http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Eval
As somesoni2 mentioned, this could be related to the format of the 'valueinms' field, and so the tonumber function might help.
Please let me know if this helps, and otherwise could you post an example of the results you get?
Thanks for your interest I found an example in the doc that is exactly what I want to do. But no luck, actually I tried somesoni2 suggestion and is not working either, my thoughts are that eval for some reasons I don't reach to figure out is changing the format of the variable.
This works fine
search time_in_ms | timechart perc75(time_in_ms)
so I guess timeinms is a number variable as I can get the percentile.
If I do the following:
search time_in_ms | eval newtime=time_in_ms | timechart perc75(newtime)
I got nothing and theoretically there would be not difference between both searches.
that's exactly what I have and the result is nothing.
value.clientCallDuration > 0 | eval duration = tonumber(value.clientCallDuration)/1000 | timechart span=1d perc25(duration) as "25th %" perc50(duration) as "50th %" perc75(duration) as "75th %"
but the follwoing works:
value.clientCallDuration > 0 | timechart span=1d perc25(value.clientCallDuration) as "25th %" perc50(value.clientCallDuration) as "50th %" perc75(value.clientCallDuration) as "75th %"
I am very confused, is there a way to know what format is splunk interpreting clientCallDuration?
Hi again muebel,
I did some tests and problem seems to be in the format, I have been searching around and haven't found any other case, that is very weird.
Number passed to JSON is a long, if is not used in the eval statement then can be used to perform operations and indeed it gets correct result when I do stuff like perc25.
If I modify the value with eval, then it always return null. Some examples
eval time = timems ---> time will be null even if timems is not. eval time = if(timems>1, "ok","notok") --- > that returns an error stating '>' comparin different formats. eval time=if(timems>"1",'ok","error") ---> statement is always false (in reality is not) so always would return error (timems is set to null) eval time=tonumber(timems) ---> time is always null. convert num(timems) ----> timems is always null
thanks, I tried that also no luck.
I also figure out how to check the event type and it is a number so for some reason any operation doing to it converts it to a null value, I am starting to think that may be a bug.
Tried but says "Error in 'eval' command: The arguments to the 'round' function are invalid.". What I suspect is takeing callinms as something different than number, but actually if I inspect the element it says is a number.
Thanks for your reply.