- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- eval returning null value for a looked up field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eval returning null value for a looked up field
I have a query which I need to chart with an overlay with a static baseline figure (maxiops) which is retrieved by looking up a couple of fields in a csv file (DISKTYPE and SPEED). This returns MAX_IOPS.
I'm using 6.1 and thought this would be nice and easy, but it appears that MAX_IOPS is being treated as NULL so I cannot plot the line. If I hardcode maxiops=75 etc it works.
Any ideas how I can use the MAX_IOPS field for plotting the static line? The value is not dependent on the number of disks (PDID) returned. It's just based on DISKTYPE and SPEED.
index=ssa source="dbmon-tail://3Par-System-Reporter/statpd_hires" 3par_array_name=f400xlt01 DISKTYPE=NL SPEED=* PDID=17 OR PDID=18 | eval total_iops=(((d_rcount + d_wcount) * 1000000)/d_now_msec) | eval read_iops=((d_rcount * 1000000)/d_now_msec) | eval write_iops=((d_wcount * 1000000)/d_now_msec) | timechart span=1m max(read_iops) as "Read IOPs", max(write_iops) as "Write IOPs" by PDID | eval maxiops=if(isnull(MAX_IOPS),"yes","no")
Many thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ffrig,
I not sure if i understand it completely, but what I see is that you set maxiops with the last eval to either yes or no and this cannot be charted in timechart.....
maybe you should try something like this as last eval:
eval maxiops=if(isnull(MAX_IOPS), "75", MAX_IOPS)
this will set maxiops to either the value of MAX_IOPS or if the field is empty to 75. Or this one:
eval myMaxIOPS="75" | eval maxiops=coalesce(MAX_IOPS, myMaxIOPS)
this will set a new field first and use in the second eval either MAX_IOPS if it exists or myMaxIOPS.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I only get one MAX_IOPS but per PDID returned.
I can't set just one in the lookup as FC and NL types have different values. I need to select one of these based on what someone sets on the dashboard.
Basically I just need the lookup value based on what someone selects for DISKTYPE and SPEED and plot that independently of anything else. As I'm trying to overlay this on the chart, I don't think that's possible?
I suppose I could do it with one massive if statement instead of the lookup but that kind of defeats the object :>(
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, your timechart is by or per PDID. Since you have three different MAX_IOPS in your lookup you will get back three different values. If you only need one either set only one in the lookup or do it like you did in the beginning and set it 'static' using eval.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MuS
That works but I get a MAX_IOPS per PDID which isn't what I need. I just need one MAX_IOPS for all PDIDs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
facepalm your MAX_IOPS field is 'gone' after the timechart! Add is like max(MAX_IOPS) AS MAX_IOPS to the timechart and you should be fine ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=ssa source="dbmon-tail://3Par-System-Reporter/statpd_hires" 3par_array_name=v400xlt01 | table DISKTYPE SPEED MAX_IOPS
returns MAX_IOPS as 75, 150, 200 depending on the search criteria so that looks fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that MAX_IOPS is NULL and I can't see why it is.
The value is retrieved via a lookup:
~props.conf:
LOOKUP-ssa-3par-iops = ssa-3par-performance DISKTYPE SPEED OUTPUTNEW MAX_IOPS MAX_MBS
~transforms.conf:
[ssa-3par-performance]
filename = ssa_3par_iops.csv
[root@vspindexlt03 local]# cat ../lookups/ssa_3par_iops.csv
DISKTYPE,SPEED,MAX_IOPS,MAX_MBS
NL,7,75,30
FC,10,150,45
FC,15,200,45
This is working as I see it in the events, but I get a NULL for MAX_IOPS when charting with:
index=ssa source="dbmon-tail://3Par-System-Reporter/statpd_hires" 3par_array_name=f400xlt01 DISKTYPE=NL SPEED=* PDID=17 OR PDID=18 | eval total_iops=(((d_rcount + d_wcount) * 1000000)/d_now_msec) | eval read_iops=((d_rcount * 1000000)/d_now_msec) | eval write_iops=((d_wcount * 1000000)/d_now_msec) | timechart span=1m max(read_iops) as "Read IOPs", max(write_iops) as "Write IOPs" by PDID | eval maxiops=if(isnull(MAX_IOPS),"75",MAX_IOPS)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so you got a field named MAX_IOPS which contains numeric values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks MuS. I'll try your suggestions.
The last eval "isnull" part was just to show that it's been set to null. I should have taken that out I suppose!
I don't understand why MAX_IOPS is NULL though?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
