Splunk Search
Highlighted

Problem with Count and Eval losing fields

Path Finder

Here is my search:

source="/usr/local/logs/request/request.log" Supplier="LO" OR Supplier="AL" Type=
"Availability"| stats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel | eval percentage=round(100-(NoAvail/Availability*100)) | table Supplier, Hotel, Availabilty, NoAvail, percentage

How do I keep Supplier values throughout the pipes? How do I get percentage to display? I literally copied that one from a search example online yet the values of percentage never display. What am I missing?

Tags (3)
0 Karma
Highlighted

Re: Problem with Count and Eval losing fields

Communicator

The problem is the stats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel pipe. After this section, you will only have the "Availability", "NoAvail", and "Hotel" fields as they will be the only things displayed in the Stats output.

Luckily, there's an easy workaround. You can use Eventstats instead of Stats to keep all your other fields (including Supplier). So the full query will look like

source="/usr/local/logs/request/request.log" Supplier="LO" OR Supplier="AL" Type= "Availability"| eventstats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel | eval percentage=round(100-(NoAvail/Availability*100)) | table Supplier, Hotel, Availabilty, NoAvail, percentage

Does this solve your problem?

View solution in original post

Highlighted

Re: Problem with Count and Eval losing fields

Path Finder

Sweet!! That gave me Supplier back. Thank you! Any suggestions on getting percentage to display?

0 Karma
Highlighted

Re: Problem with Count and Eval losing fields

Communicator

Any time.

If there are values in "percentage" and you can see it in the field list, you might want to try using something other than Table to display your results. You could try using Stats instead.

If there are no values in the field, there may be something wrong with the way you're calculating percentage. As a blind guess, you could try taking out the "round" and see what happens...

Also, think you could "accept" this answer if it helped you out? 🙂

0 Karma
Highlighted

Re: Problem with Count and Eval losing fields

Path Finder

Ah ha. The check in the field list clued me in. All because of a typo. Thank you thank you. I was looking all over for the "accept" link or to uprate you but I don't see those links here. I'm in Chrome...hmmm I definitely want to give you your props and credit. 🙂

0 Karma
Highlighted

Re: Problem with Count and Eval losing fields

Communicator

That would do it!

There should be a small check sign just under the vote up/vote down arrows for my answer. Clicking that check should accept it.

0 Karma
Highlighted

Re: Problem with Count and Eval losing fields

Path Finder

lol got it! too bad I can't check that answer too!

0 Karma