- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why am I unable to multiply two fields fields with...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
I'm trying to put together a piece of a search which multiplies two numerical fields.
I've looked through Splunk Answers and tried both of the following:
eval Rating Calculation = Total Replies * Rating Score
and
eval Rating Calculation = "Total Replies" * "Rating Score"
But neither work.
I just wondered whether someone may be able to look at this please and let me know where I've gone wrong.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the rename function, to rename your fields with spaces to fields without spaces:
... | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore
Then apply your eval (may I suggest you don't use a space in the name of your field in the eval?):
... | eval RatingCalculation = TotalReplies * RatingScore
Once all this is done, you can then rename them back to having the space between words. But I would leave this rename to the very last step in your search, to avoid further issues with fields with spaces:
... | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"
Your full search would look like this:
<your base search> | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore | eval RatingCalculation = TotalReplies * RatingScore | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The direct way to do this is to force splunk to interpret your string as a field name; this is done by bounding the LHV in double-quotes and the RHVs inside dollar-signs, like this:
| eval "Rating Calculation" = $Total Replies$ * $Rating Score$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool, I was unaware of that feature.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @woodcock, thank you very much for this. A really useful piece of information.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The normal version of this feature is to use single quotes:
| eval "Rating Caculation" = 'Total Replies' * 'Rating Score'
From the docs:
If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aljohnson, thank you for taking the time to come back to me with this. Another really useful piece of information.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the rename function, to rename your fields with spaces to fields without spaces:
... | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore
Then apply your eval (may I suggest you don't use a space in the name of your field in the eval?):
... | eval RatingCalculation = TotalReplies * RatingScore
Once all this is done, you can then rename them back to having the space between words. But I would leave this rename to the very last step in your search, to avoid further issues with fields with spaces:
... | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"
Your full search would look like this:
<your base search> | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore | eval RatingCalculation = TotalReplies * RatingScore | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aholzer, thank you for taking the time to come back to me with this.
Your solution works perfectly!
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try enclosing those in quotes. Splunk has trouble with spaces sometimes
Eval "my total" = 1 + 1
Or
eval "my total" = value1 + value2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because voted in error
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @esix, thank you for coming back to me with this.
Unfortunately this doesn't work.
I have tried eval "my total" = Total Replies * Rating Score with "Total Replies" and "Rating Score being the fields I'd like to multiply and I receive the following error:
Error in 'eval' command: The operator
at 'Replies + Rating Score' is
invalid.
I then tried eval "my total" = "Total Replies" * "Rating Score" and this just adds the text "Total Replies" and Rating Score" together in the "my total" field.
Many thanks and kind regards
Chris
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
