Splunk Search
Highlighted

Why am I unable to multiply two fields fields with my current search syntax?

Motivator

Hi, I wonder whether someone may be able to help me please.

I'm trying to put together a piece of a search which multiplies two numerical fields.

I've looked through Splunk Answers and tried both of the following:

eval Rating Calculation = Total Replies * Rating Score 

and

eval Rating Calculation = "Total Replies"  * "Rating Score"

But neither work.

I just wondered whether someone may be able to look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Why am I unable to multiply two fields fields with my current search syntax?

Super Champion

Try enclosing those in quotes. Splunk has trouble with spaces sometimes

Eval "my total" = 1 + 1

Or

eval "my total" = value1 + value2
Highlighted

Re: Why am I unable to multiply two fields fields with my current search syntax?

Motivator

Hi @esix, thank you for coming back to me with this.

Unfortunately this doesn't work.

I have tried eval "my total" = Total Replies * Rating Score with "Total Replies" and "Rating Score being the fields I'd like to multiply and I receive the following error:

Error in 'eval' command: The operator
at 'Replies + Rating Score' is
invalid.

I then tried eval "my total" = "Total Replies" * "Rating Score" and this just adds the text "Total Replies" and Rating Score" together in the "my total" field.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Why am I unable to multiply two fields fields with my current search syntax?

Motivator

I downvoted this post because voted in error

0 Karma
Highlighted

Re: Why am I unable to multiply two fields fields with my current search syntax?

Motivator

Use the rename function, to rename your fields with spaces to fields without spaces:

... | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore

Then apply your eval (may I suggest you don't use a space in the name of your field in the eval?):

... | eval RatingCalculation = TotalReplies * RatingScore

Once all this is done, you can then rename them back to having the space between words. But I would leave this rename to the very last step in your search, to avoid further issues with fields with spaces:

... | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"

Your full search would look like this:

<your base search> | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore | eval RatingCalculation = TotalReplies * RatingScore | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"

Hope this helps

View solution in original post

Highlighted

Re: Why am I unable to multiply two fields fields with my current search syntax?

Motivator

Hi @aholzer, thank you for taking the time to come back to me with this.

Your solution works perfectly!

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Why am I unable to multiply two fields fields with my current search syntax?

Esteemed Legend

The direct way to do this is to force splunk to interpret your string as a field name; this is done by bounding the LHV in double-quotes and the RHVs inside dollar-signs, like this:

| eval "Rating Calculation" = $Total Replies$ * $Rating Score$
Highlighted

Re: Why am I unable to multiply two fields fields with my current search syntax?

Motivator

Cool, I was unaware of that feature.

0 Karma
Highlighted

Re: Why am I unable to multiply two fields fields with my current search syntax?

Influencer

The normal version of this feature is to use single quotes:

| eval "Rating Caculation" = 'Total Replies' * 'Rating Score'

From the docs:

If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'.
Highlighted

Re: Why am I unable to multiply two fields fields with my current search syntax?

Motivator

Hi @aljohnson, thank you for taking the time to come back to me with this. Another really useful piece of information.

Many thanks and kind regards

Chris

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.