Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return the Count of events divided by 2

ibanez450
Explorer
‎04-10-2021 05:44 PM

I'm pretty new at this so I apologize if the question seems stupid.

I have a printer that sends syslogs to Splunk, and whenever the printer processes a job, it sends 2 identical items to Splunk. It's simple enough to get the total count, but dividing it in half is driving me crazy.

source = "hp printing" | chart count by host

Because of how the printer sends its logs, whatever the above outputs is double the actual number of print jobs the device has processed. I've tried so many combinations and just can't seem to figure it out.

source="hp printing" "printing"
| chart eval(count/2) by host

Above returns "Error in 'chart' command: The eval expression has no fields: 'count/2'."

source="hp printing" "printing"
| eval print_jobs = count/2
| chart eval(print_jobs) by host

Above returns "Error in 'chart command: The eval expression has no fields: 'print_jobs'."

I feel like this should be a simple task but just can't seem to nail it down.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ibanez450
Explorer
‎04-11-2021 06:46 AM

Looks like I found a solution, maybe there's a better way, but this worked:

index=print "printing"
| fieldformat count=count/2
| chart count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ibanez450
Explorer
‎04-11-2021 06:46 AM

Looks like I found a solution, maybe there's a better way, but this worked:

index=print "printing"
| fieldformat count=count/2
| chart count
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-10-2021 11:04 PM

Hi @ibanez450,

the easiest way is to use the stats command instead chart:

source="hp printing" "printing"
| stats eval(print_jobs) AS count by host
| eval print_jobs = count/2

If the duplicated events have the same timestamp you could also use dedup before charting:

source="hp printing" "printing"
| dedup host _time
| chart eval(print_jobs) AS print_jobs by host

One final hint: use always index in your main search: your searches will be faster.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ibanez450
Explorer
‎04-11-2021 05:51 AM

Thank you for the response, but neither of these worked.

The first one returned: "Error in 'stats' command: The argument 'eval(print_jobs)' is invalid. The second one returned: Error in 'chart' command: The eval expression has no fields: 'print_jobs'.

I had tried the dedup command, but unfortunately the timestamp on all of them is the same "none" and the _time is different on all of them so that just returns all the events instead.

Based on another thread in the forum, I've also tried:

index=print "printing" host=*
| eval print_job = count/2
| stats count(print_job)

But that just returns zero... So still stuck unfortunately.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...