Splunk Search
Highlighted

eval command after stats command not working

Path Finder

Hi,

I'm having a problem with this search:

index="pcmm" "Technical Proficiency"!=NA 
| stats count("Resource Name") as count by "Technical Proficiency"
| eval count = count
| appendpipe
    [stats sum(count) as Total]
| eval Total = Total
| eval "Proficiency Composition" = tostring((count/Total)*100,"commas")."%"

What I'm trying to do here is to use the eval command to make a calculation with the "count" and "Total" field and put the result in the new field named "Proficiency Composition". But it seems that the eval command doesn't work since the result does not return the new field.

Here's the result when I run the query:
alt text

What could be the problem here?

Thanks in advance!

Tags (2)
0 Karma
Highlighted

Re: eval command after stats command not working

SplunkTrust
SplunkTrust

Hi
Can you please try this one ?

index="pcmm" "Technical Proficiency"!=NA 
| stats count("Resource Name") as count by "Technical Proficiency"
| eventstats sum(count) as Total
| eval "Proficiency Composition" = tostring((count/Total)*100,"commas")."%"

Happy Splunking

View solution in original post

Highlighted

Re: eval command after stats command not working

Path Finder

Hi,

It works! 🙂

Thanks!

But you can explain to me how this works and why my search query doesn't?

0 Karma
Highlighted

Re: eval command after stats command not working

SplunkTrust
SplunkTrust

Hi @jvmerilla,

Yes,

1) In your search, you mentioned | eval count = count, actually it does not make any sense. Bcoz It is assigning the same value to same field (count = count).

2) | appendpipe [stats sum(count) as Total], this will create a new row with Total column. So I have replaced it with | eventstats sum(count) as Total.

3) | eval Total = Total, again same, assigning the same value to same field

4) | eval "Proficiency Composition" = tostring((count/Total)*100,"commas")."%" , this will work if Total field is available for all rows. due to (2nd) reason. The replacement will give you Total field for all rows and your eval works well.

I hope this will help you.

!!! Happy Splunking !!!

Highlighted

Re: eval command after stats command not working

Path Finder

Hi @kamlesh_vaghela,

Thanks for the clarification!

I get it now.

Thank you again! 🙂

0 Karma
Highlighted

Re: eval command after stats command not working

SplunkTrust
SplunkTrust

Hi @jvmerilla,

Glad to help you. Please upvote my comments which help you.

🙂

0 Karma
Highlighted

Re: eval command after stats command not working

Legend

@jvmerilla, any reason for going after string format for comma separation on a percent field? Do you think your percent value can shoot up/down by 1000% or more which might show it as 1,000%?

| eval "Proficiency Composition" = tostring((count/Total)*100,"commas")."%"

Normally, we round off using round() function to digits of precision based on our needs:

| eval "Proficiency Composition" = round((count/Total)*100,2)."%"

Above rounds the percent to 2 digits of precision and adds % after the value.

Highlighted

Re: eval command after stats command not working

SplunkTrust
SplunkTrust

@niketnilay. Agreed.

0 Karma
Highlighted

Re: eval command after stats command not working

Path Finder

Hi @niketnilay,
Yes, you're right. I should have use the round() instead of tostring().
The only reason I used tostring() was because I thought I need to make the value a string first before I can add the %.
But I realized that I was wrong about that.
Thank you! 🙂

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.