Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Strange behavior of an eval

rbochen
New Member
‎11-09-2017 03:13 AM 
 "call" OR "exception1" OR "exception2" OR "exception3"
    | eval calls = if(like(message, "%call%"), 1, 0)
    | eval errors1 = if(like(message, "%exception1%"), 1, 0)
    | eval errors2 = if(like(message, "%exception2%"), 1, 0)
    | eval errors3 = if(like(message, "%exception3%"), 1, 0)
    | eval errors = errors1 + errors2 + errors3
    | eval allErrorsPerMile = round((errors*1000) / calls, 3)
    | stats sum(allErrorsPerMile), sum(errors1), sum(errors2), sum(errors3), sum(errors), sum(calls)

Straight to the point: "calls" eval do not work in calculations 

allErrorsPerMile = round((errors*1000) / calls, 3)

even though im sure it contains some value(it can be seen on the screenshot)
Im also sure the 

| eval allErrorsPerMile = round((errors*1000) / calls, 3)

works becouse if i put a number instead of "calls" it calculates it

Whats wrong there? maybe I should approach the problem differently?

alt text

Tags (2)
Preview file
8 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎11-09-2017 06:38 AM

The eval command running on a per-event basis. This part of your search string:

 | eval calls = if(like(message, "%call%"), 1, 0)

is setting the value of calls to either 1 or 0. So on some events, you are dividing by 0, which will produce an error.

So let's talk about these lines:

| eval errors = errors1 + errors2 + errors3

| eval allErrorsPerMile = round((errors*1000) / calls, 3)

Are you actually intending to calculate allErrorsPerMile on a per-event basis? Or is this meant to be a value you are calculating across the sum of the errors in all events? If it's the latter, you'll need to do something like this instead:

| stats sum(errors1) AS errors1 sum(errors2) AS errors2 sum(errors3) AS errors3 sum(calls) AS calls 
| eval errors=errors1 + errors2 + errors3
| eval allErrorsPerMile=if(calls>0, round((errors*1000)/calls, 3), "Error: Trying to divide by zero")

By reversing the order of the stats and eval commands, you'll get totals across all events, rather than across individual events.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎11-09-2017 06:38 AM

The eval command running on a per-event basis. This part of your search string:

 | eval calls = if(like(message, "%call%"), 1, 0)

is setting the value of calls to either 1 or 0. So on some events, you are dividing by 0, which will produce an error.

So let's talk about these lines:

| eval errors = errors1 + errors2 + errors3

| eval allErrorsPerMile = round((errors*1000) / calls, 3)

Are you actually intending to calculate allErrorsPerMile on a per-event basis? Or is this meant to be a value you are calculating across the sum of the errors in all events? If it's the latter, you'll need to do something like this instead:

| stats sum(errors1) AS errors1 sum(errors2) AS errors2 sum(errors3) AS errors3 sum(calls) AS calls 
| eval errors=errors1 + errors2 + errors3
| eval allErrorsPerMile=if(calls>0, round((errors*1000)/calls, 3), "Error: Trying to divide by zero")

By reversing the order of the stats and eval commands, you'll get totals across all events, rather than across individual events.

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎11-09-2017 06:15 AM

The issue seems to be in output of eval errors
Can you tell me the output of errors? Is it coming propeR?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...