Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with Count and Eval losing fields

rachelneal
Path Finder
‎09-12-2011 11:06 AM

Here is my search:

source="/usr/local/logs/request/request.log" Supplier="LO" OR Supplier="AL" Type=
"Availability"| stats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel | eval percentage=round(100-(NoAvail/Availability*100)) | table Supplier, Hotel, Availabilty, NoAvail, percentage

How do I keep Supplier values throughout the pipes? How do I get percentage to display? I literally copied that one from a search example online yet the values of percentage never display. What am I missing?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acdevlin
Communicator
‎09-12-2011 11:16 AM

The problem is the stats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel pipe. After this section, you will only have the "Availability", "NoAvail", and "Hotel" fields as they will be the only things displayed in the Stats output.

Luckily, there's an easy workaround. You can use Eventstats instead of Stats to keep all your other fields (including Supplier). So the full query will look like

source="/usr/local/logs/request/request.log" Supplier="LO" OR Supplier="AL" Type= "Availability"| eventstats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel | eval percentage=round(100-(NoAvail/Availability*100)) | table Supplier, Hotel, Availabilty, NoAvail, percentage

Does this solve your problem?

View solution in original post

Reply
Solved! Jump to solution
Solution

acdevlin
Communicator
‎09-12-2011 11:16 AM

The problem is the stats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel pipe. After this section, you will only have the "Availability", "NoAvail", and "Hotel" fields as they will be the only things displayed in the Stats output.

Luckily, there's an easy workaround. You can use Eventstats instead of Stats to keep all your other fields (including Supplier). So the full query will look like

source="/usr/local/logs/request/request.log" Supplier="LO" OR Supplier="AL" Type= "Availability"| eventstats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel | eval percentage=round(100-(NoAvail/Availability*100)) | table Supplier, Hotel, Availabilty, NoAvail, percentage

Does this solve your problem?

Reply
Solved! Jump to solution

rachelneal
Path Finder
‎09-12-2011 12:04 PM

lol got it! too bad I can't check that answer too!

0 Karma
Reply
Solved! Jump to solution

acdevlin
Communicator
‎09-12-2011 11:55 AM

That would do it!

There should be a small check sign just under the vote up/vote down arrows for my answer. Clicking that check should accept it.

0 Karma
Reply
Solved! Jump to solution

rachelneal
Path Finder
‎09-12-2011 11:50 AM

Ah ha. The check in the field list clued me in. All because of a typo. Thank you thank you. I was looking all over for the "accept" link or to uprate you but I don't see those links here. I'm in Chrome...hmmm I definitely want to give you your props and credit. 🙂

0 Karma
Reply
Solved! Jump to solution

acdevlin
Communicator
‎09-12-2011 11:42 AM

Any time.

If there are values in "percentage" and you can see it in the field list, you might want to try using something other than Table to display your results. You could try using Stats instead.

If there are no values in the field, there may be something wrong with the way you're calculating percentage. As a blind guess, you could try taking out the "round" and see what happens...

Also, think you could "accept" this answer if it helped you out? 🙂

0 Karma
Reply
Solved! Jump to solution

rachelneal
Path Finder
‎09-12-2011 11:20 AM

Sweet!! That gave me Supplier back. Thank you! Any suggestions on getting percentage to display?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...