Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval percent line is not producing values in the table

DLevine_
Engager
Monday

I am working on obtaining all user logins for a specified domain, then displaying what percent of those logins were from compliant devices. I start by creating a couple fields for 'ease of reading' - these fields do produce data as expected, however, the table comes out with 'null' for the percent values. I have tried the below variations in pipeflow unfortunately with similar results - when trying to create a 'total' value by creating then combining compliant and noncompliant to divide, the total field does not have data either.

base search
| eval DeviceCompliance='deviceDetail.isCompliant'
| eval compliant=if(DeviceCompliance="true",DeviceCompliance,null())
| stats count as total by userPrincipalName
| eval percent=((compliant/total)*100)
| table userPrincipalName total percent



base search
| eval DeviceCompliance='deviceDetail.isCompliant'
| eval compliant=if(DeviceCompliance="true",DeviceCompliance,null())
| eval noncompliant=if(DeviceCompliance="false",DeviceCompliance,null())
| eval total=sum(compliant+noncompliant)
| stats count by userPrincipalName
| table userPrincipalName compliant total 
| eval percent=((compliant/total)*100)
| table userPrincipalName total percent

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
Monday 
base search
| eval DeviceCompliance='deviceDetail.isCompliant'
| chart count by userPrincipalName DeviceCompliance
| eval total=true + false
| rename true as compliant
| eval percent=((compliant/total)*100)
| table userPrincipalName compliant total percent

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
Monday

The problem lies with the stats command.  It's a transforming command that only returns the fields explicitly named in the command.  That means not all of the fields used in later calculations are available so the calculation results are null.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
Monday 
base search
| eval DeviceCompliance='deviceDetail.isCompliant'
| chart count by userPrincipalName DeviceCompliance
| eval total=true + false
| rename true as compliant
| eval percent=((compliant/total)*100)
| table userPrincipalName compliant total percent
Reply
Solved! Jump to solution

DLevine_
Engager
Monday

Thanks, this worked. Two additional questions, why the chart command specifically?
And for this statement:

| eval total=true + false


Is the reason this line works because there are only two values available to the previous statement, being true and false? It is not the case here, but if there were three values; full, partial and none - would the same type of statement require defining these somewhere before this?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
Monday

chart uses the values of the second field in the by clause (DeviceCompliance) to provide field names / column headers, in this case "true" and "false" so if the DeviceCompliance had three values, these would be the field names with their respective counts.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...