Splunk Search

Is there something about a join that prevents me from doing evaluations?

laduran
Explorer

I am fairly new to Splunk but I come from a background of SQL databases and I may still be trying to do things in a "relational" way...
Having said that I have two data sources. One represents test results (a list of test results) and one represents test suites (just some metadata for a set of tests like number of tests and a minimum required passing tests)

I want to be able to compute the ratio of tests that passed and compare that with a passing threshold ratio. To do this I join test results with the test summary data like this:

index=test_results
| where (!isnull(test_result))
| join type=inner left=L right=R where L.test_summary_id=R.test_summary_id
[search index=test_summaries]
|stats
values(L.project_short) AS project,
count(eval(L.test_result=='PASS')) as tests_passing
count,
values(R.number_of_tests) as number_of_tests,
values(R.passing_threshold) as pass_threshold
by L.sw_release_id



The line

 count(eval(L.test_result=='PASS')) as tests_passing


always evaluates to 0 but I expect it to be the number of tests with the value "PASS" as a result for that sw_release_id.

Other searches where I am not joining two tables, I can compute the tests_passing value correctly. Is there something about a join that prevents me from doing evaluations? Should I not use a join?

Thanks...


Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this, although it is not clear what the relationship is between test_summary_id and sw_release_id, so this may not give you what you want. (Given that test_summary_id has the same name in your left and right, you don't need to qualify the names.)

index=test_results
| where isnotnull(test_result)
| join test_summary_id [search index=test_summaries]
| stats
values(project_short) AS project,
count(eval(test_result=='PASS')) as tests_passing
count,
values(number_of_tests) as number_of_tests,
values(passing_threshold) as pass_threshold
by sw_release_id

 

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...