Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to store a result into a new field using eval?

vasavigangana
Explorer
‎04-07-2015 01:28 AM

Hai

I tried following search:

sourcetype="smaple12" OR sourcetype="sample22" OR sourcetype="sample32"  Install_Mode=SILENT | eval used_memory=Total_Memory-Available_Memory |table _time, used_memory

When I run it, Iam not getting values into the used_memory field..

My log files look like this:

sample12 file:

Interview_Time = 26 seconds,Install_Time = 0 seconds,Link_Time = 0 seconds,Configuration_Time = 0 seconds,Session_Time = 37 seconds,Operating_System = Linux,Processor_Architecture = amd64,CPU_Speed = 3.3125 GHz,CPU_Number = 1 Processors,Total_Memory = 996 MB,Available_Memory = 64 MB,Available_Swap_Space = 2015 MB,Peak_Thread_Count = 9 Threads,Oracle_Home = /home/cmc/Oracle/Middleware/Oracle_Home,Install_Mode = SILENT,Oracle Home_Size = 0.9855431318283081 GB,Installed_From =../stage/products.xml,Deinstall_Time = 0 seconds , event=Coherence

sample22:

Interview_Time = 32 seconds,Install_Time = 0 seconds,Link_Time = 0 seconds,Configuration_Time = 0 seconds,Session_Time = 32 seconds,Operating_System = Linux,Processor_Architecture = amd64,CPU_Speed = 3.432 GHz,CPU_Number = 1 Processors,Total_Memory = 947 MB,Available_Memory = 74 MB,Available_Swap_Space = 2014 MB,Peak_Thread_Count = 7 Threads,Oracle_Home = /home/cmc/Oracle/Middleware/Oracle_Home,Install_Mode = SILENT,Oracle_Home_Size = 0.954186481248 GB,Installed_From =../stage/products.xml,Deinstall_Time = 0 seconds , event=Nosql

sample32:

Interview_Time = 47 seconds,Install_Time = 0 seconds,Link_Time = 0 seconds,Configuration_Time = 0 seconds,Session_Time = 56 seconds,Operating_System = Linux,Processor_Architecture = amd64,CPU_Speed = 2.658 GHz,CPU_Number = 1 Processors,Total_Memory = 1042 MB,Available_Memory = 567 MB,Available_Swap_Space = 2012 MB,Peak_Thread_Count = 5 Threads,Oracle_Home = /home/cmc/Oracle/Middleware/Oracle_Home,Install_Mode = SILENT,Oracle_Home_Size = 0.984785789270 GB,Installed_From =../stage/products.xml,Deinstall_Time = 0 seconds , event=kazzing
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-07-2015 01:54 AM

Your field values are "123 MB". Splunk can only do arithmetics with numbers, so you'll have to get rid of that "MB" first. One soulution would be to use rex (insert before eval):

| rex field=Total_Memory "(?<Total_Memory>\d+) MB" | rex field=Available_Memory "(?<Available_Memory>\d+) MB"

This overrides your Available_Memory though; if you want to preserve it, you can rename the capturing group (but then you'll have to use the newly named fields in your search).

Another (possibly better) idea is to use the convert method to convert the field into a number, disregarding any non-numeric characters:

| convert num(Available_Memory) num(Total_Memory)

View solution in original post

Reply
Solved! Jump to solution

fdi01
Motivator
‎04-07-2015 03:39 AM

you search no working because
1- your sourcetype are log files. sourcetype="smaple12" OR sourcetype="sample22" OR sourcetype="sample32"

first index or monitor your log files before write your searchs.
note: sourcetype is no file. when you writing you search don't put sourcetype="smaple12" OR sourcetype="sample22" OR sourcetype="sample32" .
you put your index name before .
try like this:

index = "index_name" | convert num(Available_Memory) num(Total_Memory)  | eval used_memory=Total_Memory - Available_Memory + "MB" |table _time, used_memory
0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-07-2015 01:54 AM

Your field values are "123 MB". Splunk can only do arithmetics with numbers, so you'll have to get rid of that "MB" first. One soulution would be to use rex (insert before eval):

| rex field=Total_Memory "(?<Total_Memory>\d+) MB" | rex field=Available_Memory "(?<Available_Memory>\d+) MB"

This overrides your Available_Memory though; if you want to preserve it, you can rename the capturing group (but then you'll have to use the newly named fields in your search).

Another (possibly better) idea is to use the convert method to convert the field into a number, disregarding any non-numeric characters:

| convert num(Available_Memory) num(Total_Memory)
Reply
Solved! Jump to solution

vasavigangana
Explorer
‎04-07-2015 03:36 AM

Thank u jeffland its working great

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...