Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to multiply two fields fields with my current search syntax?

IRHM73
Motivator
‎11-11-2015 03:43 AM

Hi, I wonder whether someone may be able to help me please.

I'm trying to put together a piece of a search which multiplies two numerical fields.

I've looked through Splunk Answers and tried both of the following:

eval Rating Calculation = Total Replies * Rating Score

and

eval Rating Calculation = "Total Replies"  * "Rating Score"

But neither work.

I just wondered whether someone may be able to look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎11-11-2015 05:55 AM

Use the rename function, to rename your fields with spaces to fields without spaces:

... | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore

Then apply your eval (may I suggest you don't use a space in the name of your field in the eval?):

... | eval RatingCalculation = TotalReplies * RatingScore

Once all this is done, you can then rename them back to having the space between words. But I would leave this rename to the very last step in your search, to avoid further issues with fields with spaces:

... | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"

Your full search would look like this:

<your base search> | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore | eval RatingCalculation = TotalReplies * RatingScore | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"

Hope this helps

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-11-2015 08:24 AM

The direct way to do this is to force splunk to interpret your string as a field name; this is done by bounding the LHV in double-quotes and the RHVs inside dollar-signs, like this:

| eval "Rating Calculation" = $Total Replies$ * $Rating Score$
Reply
Solved! Jump to solution

aholzer
Motivator
‎11-11-2015 08:30 AM

Cool, I was unaware of that feature.

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎11-11-2015 10:33 PM

Hi @woodcock, thank you very much for this. A really useful piece of information.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-11-2015 09:32 AM

The normal version of this feature is to use single quotes:

| eval "Rating Caculation" = 'Total Replies' * 'Rating Score'

From the docs:

If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'.
Reply
Solved! Jump to solution

IRHM73
Motivator
‎11-11-2015 10:35 PM

Hi @aljohnson, thank you for taking the time to come back to me with this. Another really useful piece of information.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎11-11-2015 05:55 AM

Use the rename function, to rename your fields with spaces to fields without spaces:

... | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore

Then apply your eval (may I suggest you don't use a space in the name of your field in the eval?):

... | eval RatingCalculation = TotalReplies * RatingScore

Once all this is done, you can then rename them back to having the space between words. But I would leave this rename to the very last step in your search, to avoid further issues with fields with spaces:

... | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"

Your full search would look like this:

<your base search> | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore | eval RatingCalculation = TotalReplies * RatingScore | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"

Hope this helps

Reply
Solved! Jump to solution

IRHM73
Motivator
‎11-11-2015 06:45 AM

Hi @aholzer, thank you for taking the time to come back to me with this.

Your solution works perfectly!

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎11-11-2015 04:06 AM

Try enclosing those in quotes. Splunk has trouble with spaces sometimes

Eval "my total" = 1 + 1

Or

eval "my total" = value1 + value2
Reply
Solved! Jump to solution

IRHM73
Motivator
‎11-11-2015 10:34 PM

I downvoted this post because voted in error

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎11-11-2015 05:39 AM

Hi @esix, thank you for coming back to me with this.

Unfortunately this doesn't work.

I have tried eval "my total" = Total Replies * Rating Score with "Total Replies" and "Rating Score being the fields I'd like to multiply and I receive the following error:

Error in 'eval' command: The operator
at 'Replies + Rating Score' is
invalid.

I then tried eval "my total" = "Total Replies" * "Rating Score" and this just adds the text "Total Replies" and Rating Score" together in the "my total" field.

Many thanks and kind regards

Chris

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...