Using eval with subsearch stats as an argument

erikross · ‎06-12-2013

Hullo,

I have a set of messages as data which are various events being sent from an app. Every single message has the user_id field, and some of them have a log_info field, which indicates that the message was sent to indicate an error. I want to find out what percentage of users are encountering errors over the past X minutes.

Here's what I have so far.

source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id)]/users

I retrieve all the messages from the app initially, and then store a distinct count as 'users'. I run an eval to divide my subsearch by users. My subsearch does the same thing as the initial search, except further narrows down to only the messages with errors.

I've checked and both the searches work. In addition, if I run something like eval percent=users*50 it works fine, so I know that the datatype returned by stats dc() can be plugged into eval. Not sure what I could be doing wrong.

Thanks for any help!

woodcock · ‎08-17-2015

You can use return like this, too:

 source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | return $errs]/users

erikross · ‎06-12-2013

Figures that after a couple hours of trying, I'd figure it out 30 minutes after posting.

source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | rename errs as query]/users

This works. Next up is finding out how to make it play nice with timechart instead of stats.

ionis · ‎03-14-2015

Thanks!
Have been looking for this for days..
("query" as a column name for returning values to eval expressions..)

Is that anywhere in the documentation?

Using eval with subsearch stats as an argument

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!