Splunk Search

Why does my division of two fields return nothing?

sjcoluccio67
Explorer

I have the following query that is inteded to divide the "stats.hypervisor_cpu_ppm" field by 10000 and then show that value in a table.

   index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* | eval usage=stats.hypervisor_cpu_usage_ppm / 10000 | table host, stats.hypervisor_cpu_usage_ppm, usage | dedup host

When I run the query, It gives me a table with the host, the values for stats.hypervisor_spu_ppm, and then an empty column for usage. Why is the usage column empty?

0 Karma

aropaltioali
Engager

Hey!

I bumped into this thread and noticed this was not solved.
If you noticed the fields are presented as string (a not,#) and the tonumber fails due to multiple values in the string.

Here's the how I found out the solution:

/opt/splunk/etc/system/local/props.conf

[nutanix_arch]
KV_MODE = none
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS = JSON

https://answers.splunk.com/answers/610585/json-format-duplicate-value-in-field.html

Now the field is an interger and you can eval it with the following command:
|eval usage='stats.hypervisor_cpu_usage_ppm' / 10000

Hope this helps! 🙂

0 Karma

rnayshulis
New Member

I am running into a similar issue and have discovered that splunk is extracting the field that I'm dividing incorrectly. I have a field that's something like size=123 in my events, but splunk for some reason grabs user agent string from the events and assigns that to size. So make sure your stats.hypervisor_cpu_usage_ppm field has actual numerical values that you expect. I'm still working on fixing my problem, will update here if fixing field extraction fixed the division problem.

0 Karma

ssadanala1
Contributor

Can you try the below

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage=tonumber(stats.hypervisor_cpu_usage_ppm) / 10000
| table host, 'stats.hypervisor_cpu_usage_ppm', usage

Thanks

0 Karma

sjcoluccio67
Explorer

No luck, the usage column is still empty. also putting the quotes around stats.hypervisor_cpu_usage_ppm like this : | table host, 'stats.hypervisor_cpu_usage_ppm causes that column to be empty as well.

0 Karma

ssadanala1
Contributor

Please try this and can let us know whether stats.hypervisor_cpu_usage_ppm has field values populated

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* |dedup host |table stats.hypervisor_cpu_usage_ppm |eval number = 1000 |eval divide = stats.hypervisor_cpu_usage_ppm/number

0 Karma

sjcoluccio67
Explorer

This only returns two columns. The "stats.hypervisor_cpu_usage_ppm" column has its values and then htere is a "divide" column that just has the value 10000. I used you suggestion and tried the following, but it left me with the same problem that I have been having - the "usage" column is empty.

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* |dedup host |eval number = 1000 |eval usage = stats.hypervisor_cpu_usage_ppm/number | table host, stats.hypervisor_cpu_usage_ppm, usage
0 Karma

somesoni2
Revered Legend

Can you post some sample entries that you see for field stats.hypervisor_cpu_usage_ppm, before division?

0 Karma

sjcoluccio67
Explorer

Here is an example of entries for that field:

stats.hypervisor_cpu_usage_ppm

286690
286690

745400
745400

0 Karma

somesoni2
Revered Legend

Shot in the dark, try this

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* | eval usage=replace('stats.hypervisor_cpu_usage_ppm',"\s+","")/10000 | table host, stats.hypervisor_cpu_usage_ppm, usage | dedup host
0 Karma

elliotproebstel
Champion

Is that the value of a single field? Is it a multivalue field?

0 Karma

woodcock
Esteemed Legend

Try this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage=$stats.hypervisor_cpu_usage_ppm$ / 10000
| table host, $stats.hypervisor_cpu_usage_ppm$, usage

Or this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000
| table host, 'stats.hypervisor_cpu_usage_ppm', usage
0 Karma

sjcoluccio67
Explorer

Niether of these worked. In fact, they both resulted in the stats.hypervisor_cpu_usage_ppm column being empty as well as the usage column

0 Karma

elliotproebstel
Champion

I believe you need to replace this:

| eval usage=stats.hypervisor_cpu_usage_ppm / 10000

with this:

| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000

Splunk has some quirks about when field names must be wrapped with quotes in order to reference them, and field names with non-alphanumeric characters often trigger those.

0 Karma

sjcoluccio67
Explorer

I have tried this, but I get the same empty column. I tried double quotes as well, but that returned an error becuase Splunk read it as a string being divided by a number.

0 Karma

macadminrohit
Contributor

Try this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host | rename stats.hypervisor_cpu_usage_ppm as USAGEPPM
| eval usage=USAGEPPM/ 10000
| table host,USAGEPPM, usage

basically i have renamed the field stats.hypervisor_cpu_usage_ppm as USAGEPPM

sjcoluccio67
Explorer

This does not work either... I don't know why this is happening, it doesn't make much sense.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...