Re: How to use eval with Pivot?

emoyoun · ‎11-18-2016

I need to generate a calculated field in Pivot with no luck.

I tried this:

| pivot Statistics HTTP sum(eval(count/3600))

I get this error:

The object 'HTTP' has no field 'eval(count/3600'.

Any ideas pls??

Melstrathdee · ‎11-21-2016

When you are in search can you pipe the HTTPSum and HTTP into a table to show the value?
something like this?
source="tutorialdata.zip:*" sourcetype="vendor_sales/vendor_sales"
| eval HTTPSum = count/3600| stats count by HTTPSum Code

emoyoun · ‎11-21-2016

I works in search, My problem is with Pivot!

emoyoun · ‎11-21-2016

it seems that the new calculated attribute needs to be defined in the HTTP object to work with Pivot? I'm looking for a workaround!

Melstrathdee · ‎11-20-2016

Can you show us a sample of your data please. Thanks

emoyoun · ‎11-21-2016

Hi Melstrathdee,

Here is an example of my events:
I need to sum the count over a Period of one hour and find the Transaction per second by dividing the sum(count) by 3600

Start Time In MS=1479738420000,Start Time Local=Mon Nov 21 14:27:00 GMT+00:00 2016,End Time In MS=1479738480000,End Time Local=Mon Nov 21 14:28:00 GMT+00:00 2016,Site=W0,Group=HTTP,SourceIP=127.0.0.1,Status=200,URL=http://127.0.0.1:8080/xmlapi/invoke,Count=24,Rate=0.4,Average Latency=1.29166

Melstrathdee · ‎11-21-2016

Place the eval statement that calculates the HTTPSum in your search before you pipe the pivot. This should then make the field available. Hope this helps 🙂

emoyoun · ‎11-21-2016

Unfortunately I already tried this,
eval HTTPSum = count/3600| pivot Statistics HTTP sum(HTTPSum) as "TPS" SPLITROW _time AS _time PERIOD hour

I'm still getting the error:
Error in 'PivotCell': The object 'HTTP' has no field 'HTTPSum'.

rjthibod · ‎11-20-2016

Try this

| pivot Statistics HTTP sum(count) as HTTPSum SPLITROW _time AS _time PERIOD hour | eval HTTPSum = HTTPSum/3600

With pivot commands, you can only use SPLITROW and other pivot related options in the pipeline with the pivot command.

emoyoun · ‎11-20-2016

Thanks rjthibod,

I tried your suggestion but pivot still doesn't like it. I get this error 😞 :
Error in 'PivotCell': The object 'HTTP' has no field '|'.

Any work around would be appreciated.

pgreer_splunk · ‎11-18-2016

I believe it should be:

| pivot Statistics HTTP sum(HTTP) as HTTPSum | eval HTTPSum = 'HTTPSum'/3600

If that's what you're angling for....

emoyoun · ‎11-18-2016

I need to sum the count over a Period of one hour and find the Transaction per second by dividing the sum(count) by 3600. Following your suggestion, I tried this bu it didn't work. Still getting errors:

| pivot Statistics HTTP sum(count) as HTTPSum | eval HTTPSum = 'HTTPSum'/3600 SPLITROW _time AS _time PERIOD hour

How to use eval with Pivot?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation