Splunk Search

Using eval with subsearch stats as an argument

erikross
Explorer

Hullo,

I have a set of messages as data which are various events being sent from an app. Every single message has the user_id field, and some of them have a log_info field, which indicates that the message was sent to indicate an error. I want to find out what percentage of users are encountering errors over the past X minutes.

Here's what I have so far.

source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id)]/users

I retrieve all the messages from the app initially, and then store a distinct count as 'users'. I run an eval to divide my subsearch by users. My subsearch does the same thing as the initial search, except further narrows down to only the messages with errors.

I've checked and both the searches work. In addition, if I run something like eval percent=users*50 it works fine, so I know that the datatype returned by stats dc() can be plugged into eval. Not sure what I could be doing wrong.

Thanks for any help!

Tags (4)
0 Karma

woodcock
Esteemed Legend

You can use return like this, too:

 source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | return $errs]/users

erikross
Explorer

Figures that after a couple hours of trying, I'd figure it out 30 minutes after posting.

source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | rename errs as query]/users

This works. Next up is finding out how to make it play nice with timechart instead of stats.

ionis
Engager

Thanks!
Have been looking for this for days..
("query" as a column name for returning values to eval expressions..)

Is that anywhere in the documentation?

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!