Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to show only certain results in the statistics...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

tonahoyos

Explorer

10-16-2017
07:11 AM

Hello,

I would like to hide the following results in bold and only have the final eval statement show. I am only doing the calculations for the last eval statement.

source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="4*" OR ObjectAccount="5*"

| eval **Sales**=if(ObjectAccount="411010",DomesticAmount,0), Costs=if(like(ObjectAccount,"5%"),DomesticAmount,0)

| stats sum(Sales) as **Sales**, sum(Costs) as **Costs**

| eval **CM**=Sales+Costs

| eval CMPer=(CM/Sales)*100

Also, I noticed that I can not put a by statement after the eval, should I only include it in the stats section and how will I be able to categorize the CMPer by another value?

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

niketn

Legend

10-16-2017
08:42 AM

@tonahoyos, I think you need to reevaluate what you are trying to perform with your query.

1) Your base search is looking for all ObjectAccount starting with `4*`

, however, in your stats you are performing a sum of `DomesticAmount`

only for ObjectAccount `411010`

for calculating `Sales`

. `Remaining are set to 0.`

So you should ideally filter for `ObjectAccount="411010"`

in base search rather than `"4*"`

.

2) Also if you are calculating percent for Sales and Costs and you are converting Sales for everything other than ObjectAccount `411010`

as 0, then you will not be able to calculate percent for other Accounts. Percent calculation is indicating that you need only one Account 411010, unless I am misinterpreting the provided information.

3) As a performance tuning tip you should perform eval after stats command. Also `by`

is applicable on transforming commands like `stats`

not on eval. The eval command is for expression evaluations like a=b+c etc.

Having said that you can use `table`

or `fields`

command to retain only the fields you require in final table. Please try out the following query

```
source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="411010" OR ObjectAccount="5*"
| stats sum(DomesticAmount) as Sales, sum(DomesticAmount) as Costs by ObjectAccount
| eval Sales=if(ObjectAccount="411010",Sales,0), Costs=if(match(ObjectAccount,"^5"),Costs,0)
| eval CM=Sales+Costs
| eval CMPer=(CM/Sales)*100
| table ObjectAccount CMPer
```

PS: Notice above that :

1) I have filtered only ObjectAccount="411010" in my base search.

2) I have used `by ObjectAccount`

in stats function.

3) Also the eval for Sales and Cost is after eval.

4) Cost uses `match()`

function to use regular expression based pattern matching to find any ObjectAccount starting with 5.

**If you want to use your own query, you just need to add the following command to your existing search (since you do not have ObjectAccount in your stats**

```
| table CMPer
```

____________________________________________

| makeresults | eval message= "Happy Splunking!!!"

| makeresults | eval message= "Happy Splunking!!!"

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

niketn

Legend

10-16-2017
08:42 AM

@tonahoyos, I think you need to reevaluate what you are trying to perform with your query.

1) Your base search is looking for all ObjectAccount starting with `4*`

, however, in your stats you are performing a sum of `DomesticAmount`

only for ObjectAccount `411010`

for calculating `Sales`

. `Remaining are set to 0.`

So you should ideally filter for `ObjectAccount="411010"`

in base search rather than `"4*"`

.

2) Also if you are calculating percent for Sales and Costs and you are converting Sales for everything other than ObjectAccount `411010`

as 0, then you will not be able to calculate percent for other Accounts. Percent calculation is indicating that you need only one Account 411010, unless I am misinterpreting the provided information.

3) As a performance tuning tip you should perform eval after stats command. Also `by`

is applicable on transforming commands like `stats`

not on eval. The eval command is for expression evaluations like a=b+c etc.

Having said that you can use `table`

or `fields`

command to retain only the fields you require in final table. Please try out the following query

```
source="Dataset_Finance.csv" host="sample" index="dataintegration" sourcetype="SampleFinance" ObjectAccount="411010" OR ObjectAccount="5*"
| stats sum(DomesticAmount) as Sales, sum(DomesticAmount) as Costs by ObjectAccount
| eval Sales=if(ObjectAccount="411010",Sales,0), Costs=if(match(ObjectAccount,"^5"),Costs,0)
| eval CM=Sales+Costs
| eval CMPer=(CM/Sales)*100
| table ObjectAccount CMPer
```

PS: Notice above that :

1) I have filtered only ObjectAccount="411010" in my base search.

2) I have used `by ObjectAccount`

in stats function.

3) Also the eval for Sales and Cost is after eval.

4) Cost uses `match()`

function to use regular expression based pattern matching to find any ObjectAccount starting with 5.

**If you want to use your own query, you just need to add the following command to your existing search (since you do not have ObjectAccount in your stats**

```
| table CMPer
```

____________________________________________

| makeresults | eval message= "Happy Splunking!!!"

| makeresults | eval message= "Happy Splunking!!!"

Get Updates on the Splunk Community!

Hello Splunk Community!
My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...