Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Using eval with subsearch stats as an argument
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using eval with subsearch stats as an argument
Hullo,
I have a set of messages as data which are various events being sent from an app. Every single message has the user_id field, and some of them have a log_info field, which indicates that the message was sent to indicate an error. I want to find out what percentage of users are encountering errors over the past X minutes.
Here's what I have so far.
source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id)]/users
I retrieve all the messages from the app initially, and then store a distinct count as 'users'. I run an eval to divide my subsearch by users. My subsearch does the same thing as the initial search, except further narrows down to only the messages with errors.
I've checked and both the searches work. In addition, if I run something like eval percent=users*50 it works fine, so I know that the datatype returned by stats dc() can be plugged into eval. Not sure what I could be doing wrong.
Thanks for any help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use return like this, too:
source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | return $errs]/users
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figures that after a couple hours of trying, I'd figure it out 30 minutes after posting.
source="app" | stats dc(user_id) as users | eval percent=[search source="app" log_info=* | stats dc(user_id) as errs | rename errs as query]/users
This works. Next up is finding out how to make it play nice with timechart instead of stats.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
Have been looking for this for days..
("query" as a column name for returning values to eval expressions..)
Is that anywhere in the documentation?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
