Splunk Search

Why is eval failing on joined data?

laduran
Explorer

I have the following search:

 

 

index=sandbox document_type=test-collat-record-json_v2 
| where ((isnotnull(test_result)) AND project_short="LNL" AND collateral_type="fw" AND ingredient_type="ifwi_bin" AND ingredient="csme")
| dedup test_collat_record_json_guid
| join type=inner left=L right=R where L.project_short=R.project_short L.collateral_type=R.collateral_type L.ingredient_type=R.ingredient_type L.ingredient=R.ingredient
[search document_type=test-collat-record-summary-json]
| table L.collat_record_json_guid, L.project_short, L.collateral_type, L.ingredient_type, L.ingredient, L.version, L.test, L.test_result, R.number_of_tests, R.passing_threshold

 

 

I'm joining data from a set of test results and then I lookup info about what a passing set of results should look like from another data source. Hence the join. It's good. It works for me and the result yields the table:

laduran_0-1659983085885.png

So great. Just want to aggregate the results and get counts of passing/failing tests and compare that with the passing_threshold field.

So I added: 

 

 

| stats
count(eval(L.test_result=="SUCCESS")) as passingTests
count(eval(L.test_result=="FAILURE")) as failingTests
values(R.number_of_tests) as numTests,
values(R.passing_threshold) as pass_threshold
by L.collat_record_json_guid

 

 

 But the two evaluations of success and failure tests are zero. But from the table above they are clearly not zero. Should be 2 and 1 respectively.

laduran_1-1659983273155.png

What have I done wrong? Is eval not going to work on joined data? I am using the correct aliases for the data.

Labels (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try like this (put fields in single quotes in eval)

| stats
count(eval('L.test_result'=="SUCCESS")) as passingTests
count(eval('L.test_result'=="FAILURE")) as failingTests
values(R.number_of_tests) as numTests,
values(R.passing_threshold) as pass_threshold
by L.collat_record_json_guid

  

View solution in original post

laduran
Explorer

This fixed my issue.
Thank you! @somesoni2 

0 Karma

somesoni2
Revered Legend

Try like this (put fields in single quotes in eval)

| stats
count(eval('L.test_result'=="SUCCESS")) as passingTests
count(eval('L.test_result'=="FAILURE")) as failingTests
values(R.number_of_tests) as numTests,
values(R.passing_threshold) as pass_threshold
by L.collat_record_json_guid

  

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...