Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using Eval where

tb5821
Communicator
‎08-09-2013 06:06 AM

I'm doing something wrong here.. . I have the following search

...| eval SuccessRatio =  (round(((succeeded_count)/(task_count)) * 100)). "%" | search SuccessRatio < 98 |  sort SuccessRatio

I'm trying to filter out anything that has a SuccessRatio of greater than 98% but its not working I'm still getting results that have 100% success.

Tags (3)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-09-2013 05:04 PM

because you appended "%" to the number before filtering, making it a string (not a number). SuccessRatio is not a number, it's a string. eval, filter, sort, and then format it:

  ... | eval SuccessRatio = round(100*succeeded_count/task_count) | where SuccessRatio < 98 | sort SuccessRatio | eval SuccessRatio = SuccessRatio . "%"
Reply

davecroto
Splunk Employee
Splunk Employee
‎08-09-2013 08:23 AM

Did you ever get this to work?

0 Karma
Reply

davecroto
Splunk Employee
Splunk Employee
‎08-09-2013 06:41 AM

Test to see if succeeded_count and task count are actually numbers. Other than that, I cannot see why this would not work

0 Karma
Reply

davecroto
Splunk Employee
Splunk Employee
‎08-09-2013 06:22 AM

*|eval succeeded_count=99 |eval task_count=1| eval SuccessRatio = (round(((succeeded_count)/(task_count)) * 100)). "%" | search SuccessRatio < 98 | sort SuccessRatio

vs

*|eval succeeded_count=20 |eval task_count=1| eval SuccessRatio = (round(((succeeded_count)/(task_count)) * 100)). "%" | search SuccessRatio < 98 | sort SuccessRatio

Seems to work for the above

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...