Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there something about a join that prevents me from doing evaluations?

laduran
Explorer
‎08-05-2022 12:47 PM

I am fairly new to Splunk but I come from a background of SQL databases and I may still be trying to do things in a "relational" way...
Having said that I have two data sources. One represents test results (a list of test results) and one represents test suites (just some metadata for a set of tests like number of tests and a minimum required passing tests)

I want to be able to compute the ratio of tests that passed and compare that with a passing threshold ratio. To do this I join test results with the test summary data like this:

index=test_results
| where (!isnull(test_result))
| join type=inner left=L right=R where L.test_summary_id=R.test_summary_id
[search index=test_summaries]
|stats
values(L.project_short) AS project,
count(eval(L.test_result=='PASS')) as tests_passing
count,
values(R.number_of_tests) as number_of_tests,
values(R.passing_threshold) as pass_threshold
by L.sw_release_id



The line

 count(eval(L.test_result=='PASS')) as tests_passing


always evaluates to 0 but I expect it to be the number of tests with the value "PASS" as a result for that sw_release_id.

Other searches where I am not joining two tables, I can compute the tests_passing value correctly. Is there something about a join that prevents me from doing evaluations? Should I not use a join?

Thanks...


Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-05-2022 02:14 PM

Try something like this, although it is not clear what the relationship is between test_summary_id and sw_release_id, so this may not give you what you want. (Given that test_summary_id has the same name in your left and right, you don't need to qualify the names.)

index=test_results
| where isnotnull(test_result)
| join test_summary_id [search index=test_summaries]
| stats
values(project_short) AS project,
count(eval(test_result=='PASS')) as tests_passing
count,
values(number_of_tests) as number_of_tests,
values(passing_threshold) as pass_threshold
by sw_release_id

 

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...