Splunk Search

How to use eval with Pivot?

New Member

I need to generate a calculated field in Pivot with no luck.

I tried this:

| pivot Statistics HTTP sum(eval(count/3600))

I get this error:

The object 'HTTP' has no field 'eval(count/3600'.

Any ideas pls??

Tags (3)
0 Karma

Path Finder

When you are in search can you pipe the HTTPSum and HTTP into a table to show the value?
something like this?
source="tutorialdata.zip:*" sourcetype="vendor_sales/vendor_sales"
| eval HTTPSum = count/3600| stats count by HTTPSum Code

0 Karma

New Member

I works in search, My problem is with Pivot!

0 Karma

New Member

it seems that the new calculated attribute needs to be defined in the HTTP object to work with Pivot? I'm looking for a workaround!

0 Karma

Path Finder

Can you show us a sample of your data please. Thanks

0 Karma

New Member

Hi Melstrathdee,

Here is an example of my events:
I need to sum the count over a Period of one hour and find the Transaction per second by dividing the sum(count) by 3600

Start Time In MS=1479738420000,Start Time Local=Mon Nov 21 14:27:00 GMT+00:00 2016,End Time In MS=1479738480000,End Time Local=Mon Nov 21 14:28:00 GMT+00:00 2016,Site=W0,Group=HTTP,SourceIP=127.0.0.1,Status=200,URL=http://127.0.0.1:8080/xmlapi/invoke,Count=24,Rate=0.4,Average Latency=1.29166

0 Karma

Path Finder

Place the eval statement that calculates the HTTPSum in your search before you pipe the pivot. This should then make the field available. Hope this helps 🙂

0 Karma

New Member

Unfortunately I already tried this,
eval HTTPSum = count/3600| pivot Statistics HTTP sum(HTTPSum) as "TPS" SPLITROW _time AS _time PERIOD hour

I'm still getting the error:
Error in 'PivotCell': The object 'HTTP' has no field 'HTTPSum'.

0 Karma

Champion

Try this

| pivot Statistics HTTP sum(count) as HTTPSum SPLITROW _time AS _time PERIOD hour | eval HTTPSum = HTTPSum/3600

With pivot commands, you can only use SPLITROW and other pivot related options in the pipeline with the pivot command.

0 Karma

New Member

Thanks rjthibod,

I tried your suggestion but pivot still doesn't like it. I get this error 😞 :
Error in 'PivotCell': The object 'HTTP' has no field '|'.

Any work around would be appreciated.

0 Karma

Splunk Employee
Splunk Employee

I believe it should be:

| pivot Statistics HTTP sum(HTTP) as HTTPSum | eval HTTPSum = 'HTTPSum'/3600

If that's what you're angling for....

0 Karma

New Member

I need to sum the count over a Period of one hour and find the Transaction per second by dividing the sum(count) by 3600. Following your suggestion, I tried this bu it didn't work. Still getting errors:

| pivot Statistics HTTP sum(count) as HTTPSum | eval HTTPSum = 'HTTPSum'/3600 SPLITROW _time AS _time PERIOD hour

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!