Solved: Why is basic eval not returning results?

jip31 · ‎03-07-2019

Hello

I dont understand why:
index="x" sourcetype="wmi:BatteryFull" OR sourcetype="wmi:BatteryStatic"

| dedup host
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity)
| table host Wear_Rate

dont returns results
Could you help me please?

renjith_nair · ‎03-12-2019

That’s because, in your last stats command you have only ‘count by host ‘ and wear_rate is not available after the stats command

Happy Splunking!

View solution in original post

renjith_nair · ‎03-12-2019

That’s because, in your last stats command you have only ‘count by host ‘ and wear_rate is not available after the stats command

Happy Splunking!

jip31 · ‎03-14-2019

many thanks renjith

renjith_nair · ‎03-14-2019

@jip31, you are welcome! If that resolves your problem, please accept this as answer.

Happy Splunking!

jip31 · ‎03-12-2019

hi
I launch again a question on this topic because I have no results
When I execute the search below, I collect 3 events

eventtype=Charge
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host 
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity) 
| where Wear_Rate >5 
| dedup host 
| stats count

But I need to display in a single value "GOOD" OR "BAD" which depends on the wear rate value
So I do the search below but I have a "GOOD" result for the 3 events even if the wear rate is <5

eventtype=Charge AND (NOT host=E* AND NOT host=I*) 
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host 
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity) 
| eval FullChargedCapacity = FullChargedCapacity." mAH" 
| eval DesignedCapacity = DesignedCapacity." mAH" 
| eval Wear_Rate=round(Wear_Rate, 1) 
| where Wear_Rate >5 
| dedup host 
| stats count by host| eval Wear_Rate =if(Wear_Rate>5, "BAD", "GOOD") 
| table host Wear_Rate

What is wrong please??

jip31 · ‎03-11-2019

is anybody has an idea please??

Vijeta · ‎03-07-2019

@jip31 Can you share some sample data? Also the field names are you seeing them in field on left hand side for FullChargedCapacity and DesignedCapacity, may be the fields are not extracted from event and thst is why your eval is not working.

nickhills · ‎03-07-2019

Your logic is sound.
This run anywhere command proves your logic:

| makeresults 1 
| eval FullChargedCapacity=4500 
| eval DesignedCapacity=4800
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity)

Can you confirm that both the capacity fields only contain numbers (ie no mAh, or spaces etc) and that both fields are returned in any result?

Perhaps you could post the output of:

index="x" sourcetype="wmi:BatteryFull" OR sourcetype="wmi:BatteryStatic"  
 | dedup host 
 | table FullChargedCapacity DesignedCapacity
 | head 5

If my comment helps, please give it a thumbs up!

jip31 · ‎03-07-2019

you can see the output here in the question

renjith_nair · ‎03-07-2019

@jip31,

Do you have the fields FullChargedCapacity and DesignedCapacity in your search results?
Do you see them in

index="x" sourcetype="wmi:BatteryFull" OR sourcetype="wmi:BatteryStatic"  
|head 2|table host,FullChargedCapacity  , DesignedCapacity

Happy Splunking!

jip31 · ‎03-07-2019

Yes I see thé events

renjith_nair · ‎03-07-2019

Are they numeric or are there are any characters together with it? Can you give me one sample data from both fields FullChargedCapacity , DesignedCapacity

Happy Splunking!

Why is basic eval not returning results?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!