Hi,
I have this query:
index="sample_data" sourcetype="analytics_sampledata.csv"
| rename "Resolution Code" as Resolution_Code
| stats count(eval(Status!="Closed")) as "Open Tickets", count(eval(Status="Closed" AND Resolution_Code="Not Resolved *")) as "Closed/Not Resolved Tickets"
And this is the result:
I don't know what could be wrong with query but the second eval
is not returning any value.
I hope anyone would shed a light on this.
Thank you.
I don't think that eval supports wildcards (*).
Try
eval(Status=="Closed" AND like(Resolution_Code,"Not Resolved %"))
hey @jvmerilla
Try this,
index="sample_data" sourcetype="analytics_sampledata.csv"
| rename "Resolution Code" as Resolution_Code
| stats count(eval(Status!="Closed")) as "Open Tickets", count(eval((like(Resolution_Code,"Not Resolved%")) AND Status="Closed")) as "Closed/Not Resolved Tickets"
Let me know if it helps!
Hi @mayurr98,
It also works.
Thank you. 🙂
So the main cause of the error is the *
, and also the format of the code?
yeah eval does not support *
. In order to make it support you need to you eval(like())
and %
works as wildcard in that command.
Refer this link, you will get an idea!
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/ConditionalFunctions#like.28TEXT.2...
I didn't know that.
Thank you for your help. 🙂
I don't think that eval supports wildcards (*).
Try
eval(Status=="Closed" AND like(Resolution_Code,"Not Resolved %"))
I needed the double quotes too which I learned from your post. Thanks!
Hi @Yunagi,
It works!
Thanks for your help. 🙂