Splunk Search
Highlighted

Why does my division of two fields return nothing?

Explorer

I have the following query that is inteded to divide the "stats.hypervisorcpuppm" field by 10000 and then show that value in a table.

   index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* | eval usage=stats.hypervisor_cpu_usage_ppm / 10000 | table host, stats.hypervisor_cpu_usage_ppm, usage | dedup host

When I run the query, It gives me a table with the host, the values for stats.hypervisorspuppm, and then an empty column for usage. Why is the usage column empty?

0 Karma
Highlighted

Re: Why does my division of two fields return nothing?

I believe you need to replace this:

| eval usage=stats.hypervisor_cpu_usage_ppm / 10000

with this:

| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000

Splunk has some quirks about when field names must be wrapped with quotes in order to reference them, and field names with non-alphanumeric characters often trigger those.

0 Karma
Highlighted

Re: Why does my division of two fields return nothing?

Explorer

I have tried this, but I get the same empty column. I tried double quotes as well, but that returned an error becuase Splunk read it as a string being divided by a number.

0 Karma
Highlighted

Re: Why does my division of two fields return nothing?

Contributor

Try this:

index=nutanix sourcetype=nutanixarch stats.hypervisorcpuusageppm=*
| dedup host | rename stats.hypervisorcpuusage_ppm as USAGEPPM
| eval usage=USAGEPPM/ 10000
| table host,USAGEPPM, usage

basically i have renamed the field stats.hypervisorcpuusage_ppm as USAGEPPM

Highlighted

Re: Why does my division of two fields return nothing?

Explorer

This does not work either... I don't know why this is happening, it doesn't make much sense.

0 Karma
Highlighted

Re: Why does my division of two fields return nothing?

Esteemed Legend

Try this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage=$stats.hypervisor_cpu_usage_ppm$ / 10000
| table host, $stats.hypervisor_cpu_usage_ppm$, usage

Or this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000
| table host, 'stats.hypervisor_cpu_usage_ppm', usage
0 Karma
Highlighted

Re: Why does my division of two fields return nothing?

Explorer

Niether of these worked. In fact, they both resulted in the stats.hypervisor_cpu_usage_ppm column being empty as well as the usage column

0 Karma
Highlighted

Re: Why does my division of two fields return nothing?

SplunkTrust
SplunkTrust

Can you post some sample entries that you see for field stats.hypervisor_cpu_usage_ppm, before division?

0 Karma
Highlighted

Re: Why does my division of two fields return nothing?

Explorer

Here is an example of entries for that field:

stats.hypervisorcpuusage_ppm

286690
286690

745400
745400

0 Karma
Highlighted

Re: Why does my division of two fields return nothing?

Is that the value of a single field? Is it a multivalue field?

0 Karma