- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a search with eval where you know th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if this can be achieved by eval command. A bit silly question indeed.
"I want to know the value of the field 'sum' when field 'num' equals 56.
And save the sum's value in a variable 'y'."
I tried to eval, it didn't do the job.
Could use some help here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, did a bit of testing myself.
_time is in epoch including milliseconds, while now() returns a result in seconds. Perhaps that is why you don't find matches.
Just to confirm, can you post an extract of this:
...
| eval x=now()
| eval mytime=_time
| table _time,x,mytime,sum
Looking at that data should tell you why the if statement isn't giving the results you expect.
Update:
As commented below, you might need to round the value of _time, to get rid of the millisecond detail, in order to compare it to now()-x_seconds.
So:
...
| eval x=now()-5
| eval mytime=round(_time)
| eval y=if(mytime=x,sum,null())
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, did a bit of testing myself.
_time is in epoch including milliseconds, while now() returns a result in seconds. Perhaps that is why you don't find matches.
Just to confirm, can you post an extract of this:
...
| eval x=now()
| eval mytime=_time
| table _time,x,mytime,sum
Looking at that data should tell you why the if statement isn't giving the results you expect.
Update:
As commented below, you might need to round the value of _time, to get rid of the millisecond detail, in order to compare it to now()-x_seconds.
So:
...
| eval x=now()-5
| eval mytime=round(_time)
| eval y=if(mytime=x,sum,null())
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_time = 2018-02-07 04:33:46.160
x = 1517996006
mytime = 1517996026.160
sum = 4620.3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's a single event. When you scroll through the entries over time, I guess you should also be able to manually check if there is a line that should have matched the if statement. But I guess the milliseconds in the _time (and mytime) fields prevent that match.
Can you try eval mytime=round(_time) and see if you then can get a match between mytime and now-45 or whatever?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
at any moment 'mytime' and 'x' are never equal. There is always a gap of few seconds. x is always ahead of few seconds
So I did like | eval x = now() -5 and then it gave me some values .
Thanks @FrankVI for your assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome 🙂
I've changed what I think was my key comment to an answer, so you can mark that as accepted if it indeed worked now 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It indeed helped. Happily Accepted and upvoted .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This??
...| eval y=if('num'=56,'sum',null())
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this didn't work. my num is basically a UNIX time that I'm fetching from now() function.
my comparison is like | x=now() |eval y =if(_time=x,sum,null())
If I convert my _time to UNIX time and then perform the comparison, would that work ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shouldn't that be eval x=now() ?
Or just put the now() in the if clause:
| eval y=if(_time=now(),sum,null())
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Frank.
It wont work.
On a different point, what if eval x=now()-45
and I wanna know the value of 'sum' when x has has 45 seconds less value than epoch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's starting to get a bit confusing to be honest. Can you perhaps add some proper search code examples to your original question post as well as screenshots / copies of what the data looks like (especially the relevant fields).
Based on your description, the suggestions from @somesoni2 and myself should work, but apparently we are missing something specific from your situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry for the confusion.
What I'm looking is ,
a) The value of field 'sum' when the time is now().
b) And the value of field 'sum' when the time is 45 seconds before now().
'sum' field has different values and is continious on a time line.
And I'm trying to know it's value at a specific time.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
