Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What am I doing wrong in either my stats, append or eval because I keep getting a blank field?

brood85
Engager
‎01-09-2013 10:11 AM

I am very new to Splunk (as in this is my 3rd day using it) and am having some issues understanding what I am doing wrong.

 specific.server
    | stats dc(userID) as totalUsers
    | append [search specific.server AND "text" | stats count(field) as variableA]
    | eval variableB = exact(variableA/totalUsers)
    | stats sum(totalUsers), sum(variableA), sum(variableB)

Now when this runs sum(totalUsers) and sum(variableA) shows up correctly however sum(variableB) always shows up as a blank field. I have tried many different ways and none of them have worked.

Now I will explain the way I am understanding what I wrote.

  1. First I am counting the number of individual users on a specific server and putting that number as a variable named totalUsers.
  2. I am doing another search and in that search I count how many times a certain field occurs on that specific server and place that value into variableA
  3. I then create a new variable called variableB and evaluate that to be variableA/totalUsers
  4. This then is displayed with the sum of each individual variables totalUsers, variableA, variableB

Please explain to me what I am understanding incorrectly and if at all possible how to achieve what I am trying to do or at least point me in the right direction.

Thanks

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎01-10-2013 11:26 PM

First, you don't want append, you want appendcols. When you use append, you will end up with multiple events - you want all these results in a single event.

Second, you need to time-constrain your inner search, else it runs over all time. I have done that by using addinfo to collect the time parameters of the outer search, and then apply them to the inner search.

Finally, I don't think you need the final stats command, either.

specific.server
| stats dc(userID) as totalUsers
| appendcols [ search specific.server AND "text" 
      addinfo | where _time >= info_min_time AND _time <=info_max_time
      | stats count(field) as variableA ]
| eval variableB = exact(variableA/totalUsers)
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...