Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval percent line is not producing values in the table

DLevine_
Explorer
‎09-30-2024 06:06 AM

I am working on obtaining all user logins for a specified domain, then displaying what percent of those logins were from compliant devices. I start by creating a couple fields for 'ease of reading' - these fields do produce data as expected, however, the table comes out with 'null' for the percent values. I have tried the below variations in pipeflow unfortunately with similar results - when trying to create a 'total' value by creating then combining compliant and noncompliant to divide, the total field does not have data either.

base search
| eval DeviceCompliance='deviceDetail.isCompliant'
| eval compliant=if(DeviceCompliance="true",DeviceCompliance,null())
| stats count as total by userPrincipalName
| eval percent=((compliant/total)*100)
| table userPrincipalName total percent



base search
| eval DeviceCompliance='deviceDetail.isCompliant'
| eval compliant=if(DeviceCompliance="true",DeviceCompliance,null())
| eval noncompliant=if(DeviceCompliance="false",DeviceCompliance,null())
| eval total=sum(compliant+noncompliant)
| stats count by userPrincipalName
| table userPrincipalName compliant total 
| eval percent=((compliant/total)*100)
| table userPrincipalName total percent

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2024 06:38 AM 
base search
| eval DeviceCompliance='deviceDetail.isCompliant'
| chart count by userPrincipalName DeviceCompliance
| eval total=true + false
| rename true as compliant
| eval percent=((compliant/total)*100)
| table userPrincipalName compliant total percent

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2024 07:18 AM

The problem lies with the stats command.  It's a transforming command that only returns the fields explicitly named in the command.  That means not all of the fields used in later calculations are available so the calculation results are null.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2024 06:38 AM 
base search
| eval DeviceCompliance='deviceDetail.isCompliant'
| chart count by userPrincipalName DeviceCompliance
| eval total=true + false
| rename true as compliant
| eval percent=((compliant/total)*100)
| table userPrincipalName compliant total percent
Reply
Solved! Jump to solution

DLevine_
Explorer
‎09-30-2024 07:29 AM

Thanks, this worked. Two additional questions, why the chart command specifically?
And for this statement:

| eval total=true + false


Is the reason this line works because there are only two values available to the previous statement, being true and false? It is not the case here, but if there were three values; full, partial and none - would the same type of statement require defining these somewhere before this?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2024 08:19 AM

chart uses the values of the second field in the by clause (DeviceCompliance) to provide field names / column headers, in this case "true" and "false" so if the DeviceCompliance had three values, these would be the field names with their respective counts.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...