Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I am getting the Error in 'eval' command: Type checking failed. '-' only takes numbers, while calculating difference

dtccsundar
Path Finder
‎06-30-2021 04:00 AM

Hi ,

My wish to get the difference between yesterday and todays Pass % and fail % for different sourcetypes .

I have tried as below ,

index=x1 sourcetype=y1 OR sourcetype=y2 OR sourcetype=y3 OR sourcetype=y4 OR sourcetype=y5 OR sourcetype=y6 OR sourcetype=y7 earliest=-48h@h latest=-24h@h|chart count over sourcetype by Status|addtotals|eval "dbyest Pass %"=round((Pass/Total)*100,3) |eval "dbyest Fail %"=round((Fail/Total)*100,3) |stats count by sourcetype "dbyest Pass %" "dbyest Fail %" |rename Total as "Total Scope"|eval repo="dbyest"

|append

[search index=x1 sourcetype=y1 OR sourcetype=y2 OR sourcetype=y3 OR sourcetype=y4 OR sourcetype=y5 OR sourcetype=y6 OR sourcetype=y7 earliest=-48h@h latest=-24h@h|chart count over sourcetype by Status|addtotals|eval "yest Pass %"=round((Pass/Total)*100,3) |eval "yest Fail %"=round((Fail/Total)*100,3) |stats count by sourcetype "yest Pass %" "yest Fail %" |rename Total as "Total Scope"|eval repo="yest"]

|eval "Pass % diff"=round("dbyest Pass %"-"yest Pass %")|table "dbyest Pass %" "dbyest Fail %" "yest Pass %" "yest Fail %" "Pass % diff"

When i ran this , i am getting the error "Error in 'eval' command: Type checking failed. '-' only takes numbers."

Please help me in this to get the difference ?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-30-2021 05:41 AM

@dtccsundar 

Can you please try this?

index=x1 sourcetype=y1 OR sourcetype=y2 OR sourcetype=y3 OR sourcetype=y4 OR sourcetype=y5 OR sourcetype=y6 OR sourcetype=y7 earliest=-48h@h latest=-24h@h 
| chart count over sourcetype by Status 
| addtotals 
| eval dbyest_Pass=round((Pass/Total)*100,3) 
| eval dbyest_Fail=round((Fail/Total)*100,3) 
| stats count by sourcetype dbyest_Pass dbyest_Fail 
| rename Total as "Total Scope" 
| eval repo="dbyest" 
| append 
    [ search index=x1 sourcetype=y1 OR sourcetype=y2 OR sourcetype=y3 OR sourcetype=y4 OR sourcetype=y5 OR sourcetype=y6 OR sourcetype=y7 earliest=-48h@h latest=-24h@h 
    | chart count over sourcetype by Status 
    | addtotals 
    | eval yest_Pass=round((Pass/Total)*100,3) 
    | eval yest_Fail=round((Fail/Total)*100,3) 
    | stats count by sourcetype yest_Pass yest_Fail 
    | rename Total as "Total Scope" 
    | eval repo="yest"] 
| eval Pass_diff=round(dbyest_Pass-yest_Pass)
| rename yest_Pass as "yest Pass %",yest_Fail as "yest Fail %", dbyest_Fail as "dbyest Fail %", dbyest_Pass as "dbyest Pass %", Pass_diff as "Pass % diff"
| table "dbyest Pass %" "dbyest Fail %" "yest Pass %" "yest Fail %" "Pass % diff"

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-30-2021 04:13 AM

@dtccsundar 

Can you please change your eval with this?

| eval "Pass % diff"=round('dbyest Pass %'-'yest Pass %')

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. 

0 Karma
Reply
Solved! Jump to solution

dtccsundar
Path Finder
‎06-30-2021 05:14 AM

kamlesh_vaghela  Thanks for your reply !!

But i am not seeing any value in the table command for "Pass % diff" after that .Can you please provide any other solution for this .

 

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-30-2021 05:41 AM

@dtccsundar 

Can you please try this?

index=x1 sourcetype=y1 OR sourcetype=y2 OR sourcetype=y3 OR sourcetype=y4 OR sourcetype=y5 OR sourcetype=y6 OR sourcetype=y7 earliest=-48h@h latest=-24h@h 
| chart count over sourcetype by Status 
| addtotals 
| eval dbyest_Pass=round((Pass/Total)*100,3) 
| eval dbyest_Fail=round((Fail/Total)*100,3) 
| stats count by sourcetype dbyest_Pass dbyest_Fail 
| rename Total as "Total Scope" 
| eval repo="dbyest" 
| append 
    [ search index=x1 sourcetype=y1 OR sourcetype=y2 OR sourcetype=y3 OR sourcetype=y4 OR sourcetype=y5 OR sourcetype=y6 OR sourcetype=y7 earliest=-48h@h latest=-24h@h 
    | chart count over sourcetype by Status 
    | addtotals 
    | eval yest_Pass=round((Pass/Total)*100,3) 
    | eval yest_Fail=round((Fail/Total)*100,3) 
    | stats count by sourcetype yest_Pass yest_Fail 
    | rename Total as "Total Scope" 
    | eval repo="yest"] 
| eval Pass_diff=round(dbyest_Pass-yest_Pass)
| rename yest_Pass as "yest Pass %",yest_Fail as "yest Fail %", dbyest_Fail as "dbyest Fail %", dbyest_Pass as "dbyest Pass %", Pass_diff as "Pass % diff"
| table "dbyest Pass %" "dbyest Fail %" "yest Pass %" "yest Fail %" "Pass % diff"

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

dtccsundar
Path Finder
‎06-30-2021 05:55 AM

Thanks for your reply KV .

I got it by changing ,

| eval "dbyest Pass %"=round((Pass/Total)*100,3)

  as 

| eval "dbyest Pass%"=round(('Pass'/Total)*100,3) 

and that worked .

 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...