I want to divide events in one field by events in another field that would then display in a dashboard as a single value. I have two fields that are currently display in my dashboard. One is a list of different Revenue Numbers and the other is a list of Documents Processed. It Looks like this:
"Total Active Subscription Revenue _converted" ---------------- " DocCount"
234542 ------------------------------------------------------------------------------- 5
341324 ------------------------------------------------------------------------------- 3
34253 --------------------------------------------------------------------------------- 2
2314 -----------------------------------------------------------------------------------1
The query I have so far is this:
source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt" | eval "License Key Identifier"=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | join type=left "License Key Identifier" [search source="LMCustomerRevLicense1.csv"] | stats distinct_count("context.custom.dimensions{}.DocumentSessionId") by "Account Name" "Total Active Subscription Revenue _converted" | rename distinct_count("context.custom.dimensions{}.DocumentSessionId") AS DocCount |
I tried using |eval DocCost= "Total Active Subscription Revenue _converted"/DocCount | but this just brings me back and error saying "type checking failed. '/' only takes numbers"
Any Suggestions?
Try this
source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt" | eval "License Key Identifier"=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | join type=left "License Key Identifier" [search source="LMCustomerRevLicense1.csv"] | stats distinct_count("context.custom.dimensions{}.DocumentSessionId") as DocCount by "Account Name" "Total Active Subscription Revenue _converted"
| eval DocCost='Total Active Subscription Revenue _converted'/DocCount
Fields with special characters/spaces in their name should be used within single quotes in eval-expression (and where expression). With double quotes they're treated as literal string and give that typecast error.
Try this
source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt" | eval "License Key Identifier"=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | join type=left "License Key Identifier" [search source="LMCustomerRevLicense1.csv"] | stats distinct_count("context.custom.dimensions{}.DocumentSessionId") as DocCount by "Account Name" "Total Active Subscription Revenue _converted"
| eval DocCost='Total Active Subscription Revenue _converted'/DocCount
Fields with special characters/spaces in their name should be used within single quotes in eval-expression (and where expression). With double quotes they're treated as literal string and give that typecast error.
Thank you!