Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use eval with Pivot?

emoyoun
New Member
‎11-18-2016 06:33 AM

I need to generate a calculated field in Pivot with no luck.

I tried this:

| pivot Statistics HTTP sum(eval(count/3600))

I get this error:

The object 'HTTP' has no field 'eval(count/3600'.

Any ideas pls??

Tags (3)
0 Karma
Reply

Melstrathdee
Path Finder
‎11-21-2016 05:04 PM

When you are in search can you pipe the HTTPSum and HTTP into a table to show the value?
something like this?
source="tutorialdata.zip:*" sourcetype="vendor_sales/vendor_sales"
| eval HTTPSum = count/3600| stats count by HTTPSum Code

0 Karma
Reply

emoyoun
New Member
‎11-21-2016 05:08 PM

I works in search, My problem is with Pivot!

0 Karma
Reply

emoyoun
New Member
‎11-21-2016 05:17 PM

it seems that the new calculated attribute needs to be defined in the HTTP object to work with Pivot? I'm looking for a workaround!

0 Karma
Reply

Melstrathdee
Path Finder
‎11-20-2016 12:04 PM

Can you show us a sample of your data please. Thanks

0 Karma
Reply

emoyoun
New Member
‎11-21-2016 06:31 AM

Hi Melstrathdee,

Here is an example of my events:
I need to sum the count over a Period of one hour and find the Transaction per second by dividing the sum(count) by 3600

Start Time In MS=1479738420000,Start Time Local=Mon Nov 21 14:27:00 GMT+00:00 2016,End Time In MS=1479738480000,End Time Local=Mon Nov 21 14:28:00 GMT+00:00 2016,Site=W0,Group=HTTP,SourceIP=127.0.0.1,Status=200,URL=http://127.0.0.1:8080/xmlapi/invoke,Count=24,Rate=0.4,Average Latency=1.29166

0 Karma
Reply

Melstrathdee
Path Finder
‎11-21-2016 04:29 PM

Place the eval statement that calculates the HTTPSum in your search before you pipe the pivot. This should then make the field available. Hope this helps 🙂

0 Karma
Reply

emoyoun
New Member
‎11-21-2016 04:59 PM

Unfortunately I already tried this,
eval HTTPSum = count/3600| pivot Statistics HTTP sum(HTTPSum) as "TPS" SPLITROW _time AS _time PERIOD hour

I'm still getting the error:
Error in 'PivotCell': The object 'HTTP' has no field 'HTTPSum'.

0 Karma
Reply

rjthibod
Champion
‎11-20-2016 02:06 AM

Try this

| pivot Statistics HTTP sum(count) as HTTPSum SPLITROW _time AS _time PERIOD hour | eval HTTPSum = HTTPSum/3600

With pivot commands, you can only use SPLITROW and other pivot related options in the pipeline with the pivot command.

0 Karma
Reply

emoyoun
New Member
‎11-20-2016 08:20 AM

Thanks rjthibod,

I tried your suggestion but pivot still doesn't like it. I get this error 😞 :
Error in 'PivotCell': The object 'HTTP' has no field '|'.

Any work around would be appreciated.

0 Karma
Reply

pgreer_splunk
Splunk Employee
Splunk Employee
‎11-18-2016 11:03 AM

I believe it should be:

| pivot Statistics HTTP sum(HTTP) as HTTPSum | eval HTTPSum = 'HTTPSum'/3600

If that's what you're angling for....

0 Karma
Reply

emoyoun
New Member
‎11-18-2016 11:55 AM

I need to sum the count over a Period of one hour and find the Transaction per second by dividing the sum(count) by 3600. Following your suggestion, I tried this bu it didn't work. Still getting errors:

| pivot Statistics HTTP sum(count) as HTTPSum | eval HTTPSum = 'HTTPSum'/3600 SPLITROW _time AS _time PERIOD hour

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...