Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eval to rename a variable unter certain conditions

zoe
Path Finder
‎03-25-2021 07:11 AM

I have under each orderNr five different weights.

__________________________

Weight: 0.898, WeightTypeId: 1, OrderNr: 8478

Weight: 0.094, WeightTypeId: 2, OrderNr: 8478

Weight: 7.45, WeightTypeId: 3, OrderNr: 8478

Weight: 0.0, WeightTypeId: 4, OrderNr: 8478

Weight: 7.45, WeightTypeId: 5, OrderNr: 8478

...............................

___________________________________

I would like to calculate the total weight and the yields, which is calculated like this: 
Total:  Weight(WeightTypeID1) + Weight(WeightTypeID2) +Weight(WeightTypeID4) +Weight(WeightTypeID5)
Yield1 = Weight (WeightTypeId 1)/ Total
Yield2= Weight(WeightTypeID3)/Total

I am thinking of using eval to assign the Weight (under WeightTypeId1) to weight 1, weight 2, weight 3.... Then it is easy to do the calculations. 

|Eval werigh1= if (WeightTypeId=1, Weight, 0). But somehow I feel this is not correct...

Can someone help me with that?

Thanks a lot!

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-26-2021 12:57 AM

Since you don't want the other fields, try the alternative solution with a fields command to limit the fields

| xyseries OrderNr WeightTypeId Weight
| eval total='1'+'2'+'4'+'5'
| eval yield1='1'/total
| eval yield2='3'/total
| fields OrderNr yield1 yield2 total

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-25-2021 07:19 AM

It is on the right lines. Try:

| eval weight1=if(WeightTypeId=1,weight,null)
| eval weight2=if(WeightTypeId=2,weight,null)
| eval weight3=if(WeightTypeId=3,weight,null)
| eval weight4=if(WeightTypeId=4,weight,null)
| eval weight5=if(WeightTypeId=5,weight,null)
| stats values(*) as * by OrderNr
| eval total=weight1+weight2+weight4+weight5
| eval yield1=weight1/total
| eval yield2=weight3/total
Reply
Solved! Jump to solution

zoe
Path Finder
‎03-26-2021 12:42 AM

sorry @ITWhisperer , I sent the last message by mistake before finishing it. Now continues

3. in the end I woule like to see sth like this:

OrderNr  Yield1, Yield2, Total

Acutally thre are also some other varibles in each event. But what I see now is that all other vairlabes are also listed. weight 1, weight 2....... WeighTypeId...., time stamp.... hostname, source....., which I do not want to include in the result. I tried to use  |Stats Values(yield1) as yield1 by OrderNr , but it does not work. Can you help me with that?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-26-2021 12:57 AM

Since you don't want the other fields, try the alternative solution with a fields command to limit the fields

| xyseries OrderNr WeightTypeId Weight
| eval total='1'+'2'+'4'+'5'
| eval yield1='1'/total
| eval yield2='3'/total
| fields OrderNr yield1 yield2 total
Reply
Solved! Jump to solution

zoe
Path Finder
‎03-26-2021 01:03 AM

@ITWhisperer this solution is great! the first time I have learned xyseries! Thank you a lot! I have learned a lot from you!

0 Karma
Reply
Solved! Jump to solution

zoe
Path Finder
‎03-26-2021 12:34 AM

Thanks @ITWhisperer for your help!I have three questions to your solution

1. I see you used 'null' instead '0', does it mean, when the condition is not fulfilled, the variable will have no value instead of '0'? I tried '0', it is not working.....

2. You put | stats value(*) as * by OrderNr before the rest of eval commands of 'total', 'yield1' and 'Yield2'. But if I put this stats command in the end, the result does not show 'total', 'yield1' and 'yeild2'? Why does the order matter?

3. In the end I just want to see sth like this

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-26-2021 12:52 AM
  1. By using null instead of zero, the field is not present for the other events, so when the events are grouped together by OrderNr with the stats command, you don't get extra zeroes that you don't need
  2. The order matter because it is the stats command that is collecting all the weights into one line so the calculation can be done
  3. I am not sure what you want it to look like

Did you try the alternative solution?

0 Karma
Reply
Solved! Jump to solution

zoe
Path Finder
‎03-26-2021 01:02 AM

@ITWhisperer at the end of your first solution, I put | table OrderNr total yield1 yield2, then I can what I want to see. I hpe this is correct

zoe_0-1616745711773.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-25-2021 07:48 AM

Alternatively:

| xyseries OrderNr WeightTypeId Weight
| eval total='1'+'2'+'4'+'5'
| eval yield1='1'/total
| eval yield2='3'/total
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...