Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk eval not working with generated column
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk eval not working with generated column
Need some help on some Splunk Search Syntax.
| inputlookup defect__kvs
| search (week_date="") (type="") (sub_type="") (model="") (sub_type=) (model=)
| eval total_polulation=700 (this will be a $token$ in a panel)
| stats count by failure sw_type
| rename count as num_failure
| eval pct_of_total=(num_failure/total_population) | table failure sw_type num_failure pct_of_total
pct_of_total does not produce a value.
I do not want to do appendcols or a subsearch as the Token is to be widely used and it works in other queries as a variable. Total_polulation cannot be derived from the Event Set.
Basically the totals are derived in the following XML
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is eval total_polulation copied from your actual query? If so, then your problem is the typo in it.
I just tried what you did with some other data/fields, and it works for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank for your response. Actually this was not a typo as I was editing the search to remove customer information. I did manage to get it to work but it was strange, for if I place the "|eval a=700" before the stats statement it does not compute, but after it it does. This was the final query.
THIS DOES NOT WORK
| inputlookup defect__kvs
| search (week_date="*") (type="*") (sub_type="*") (model="*") (sub_type="*") (model="*")
| eval total_population=700 | stats count by failure sw_type | rename count as num_failure
| eval pct_of_total=(num_failure/total_population)
| rename count as num_failure | table failure sw_type num_failure pct_of_total
THIS DOES WORK
| inputlookup defect__kvs
| search (week_date="*") (type="*") (sub_type="*") (model="*") (sub_type="*") (model="*")
| stats count by failure sw_type | rename count as num_failure
| eval total_population=700
| eval pct_of_total=(num_failure/total_population)
| rename count as num_failure | table failure sw_type num_failure pct_of_total
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
