Solved: Why am I unable to multiply two fields fields with... - Page 2

IRHM73 · ‎11-11-2015

Hi, I wonder whether someone may be able to help me please.

I'm trying to put together a piece of a search which multiplies two numerical fields.

I've looked through Splunk Answers and tried both of the following:

eval Rating Calculation = Total Replies * Rating Score

and

eval Rating Calculation = "Total Replies"  * "Rating Score"

But neither work.

I just wondered whether someone may be able to look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

aholzer · ‎11-11-2015

Use the rename function, to rename your fields with spaces to fields without spaces:

... | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore

Then apply your eval (may I suggest you don't use a space in the name of your field in the eval?):

... | eval RatingCalculation = TotalReplies * RatingScore

Once all this is done, you can then rename them back to having the space between words. But I would leave this rename to the very last step in your search, to avoid further issues with fields with spaces:

... | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"

Your full search would look like this:

<your base search> | rename "Total Replies" AS TotalReplies, "Rating Score" AS RatingScore | eval RatingCalculation = TotalReplies * RatingScore | rename Rating* AS "Rating *", TotalReplies AS "Total Replies"

Hope this helps

View solution in original post

Why am I unable to multiply two fields fields with my current search syntax?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!