Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to divide events in a field by events in anoth...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to divide events in one field by events in another field that would then display in a dashboard as a single value. I have two fields that are currently display in my dashboard. One is a list of different Revenue Numbers and the other is a list of Documents Processed. It Looks like this:
"Total Active Subscription Revenue _converted" ---------------- " DocCount"
234542 ------------------------------------------------------------------------------- 5
341324 ------------------------------------------------------------------------------- 3
34253 --------------------------------------------------------------------------------- 2
2314 -----------------------------------------------------------------------------------1
The query I have so far is this:
source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt" | eval "License Key Identifier"=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | join type=left "License Key Identifier" [search source="LMCustomerRevLicense1.csv"] | stats distinct_count("context.custom.dimensions{}.DocumentSessionId") by "Account Name" "Total Active Subscription Revenue _converted" | rename distinct_count("context.custom.dimensions{}.DocumentSessionId") AS DocCount |
I tried using |eval DocCost= "Total Active Subscription Revenue _converted"/DocCount | but this just brings me back and error saying "type checking failed. '/' only takes numbers"
Any Suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt" | eval "License Key Identifier"=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | join type=left "License Key Identifier" [search source="LMCustomerRevLicense1.csv"] | stats distinct_count("context.custom.dimensions{}.DocumentSessionId") as DocCount by "Account Name" "Total Active Subscription Revenue _converted"
| eval DocCost='Total Active Subscription Revenue _converted'/DocCount
Fields with special characters/spaces in their name should be used within single quotes in eval-expression (and where expression). With double quotes they're treated as literal string and give that typecast error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt" | eval "License Key Identifier"=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | join type=left "License Key Identifier" [search source="LMCustomerRevLicense1.csv"] | stats distinct_count("context.custom.dimensions{}.DocumentSessionId") as DocCount by "Account Name" "Total Active Subscription Revenue _converted"
| eval DocCost='Total Active Subscription Revenue _converted'/DocCount
Fields with special characters/spaces in their name should be used within single quotes in eval-expression (and where expression). With double quotes they're treated as literal string and give that typecast error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
