Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: help on eval
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
07-14-2018
01:20 AM
hello
i try to use the code below but everytimes i have an issue of quote or parenthesis even if i do modifications:
| timechart span=10m eval(avg(if host=="$field1$",PercentProcessorTime,NULL)) as PercentProcessorTime_AVG by host
OR eval(avg(if host=="$field2$",PercentProcessorTime,NULL)) as PercentProcessorTime_AVG by host
could you help me please
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-16-2018
01:26 AM
Hi @jip31 ,
If you want to do a timechart based on host, you could simply do it by
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" OR host="$field2$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
| rex field=Name "^(?<Service>[^\/]+)[\/]"
| eval key=Service."-".host
| timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime BY host
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-16-2018
01:26 AM
Hi @jip31 ,
If you want to do a timechart based on host, you could simply do it by
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" OR host="$field2$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
| rex field=Name "^(?<Service>[^\/]+)[\/]"
| eval key=Service."-".host
| timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime BY host
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
07-16-2018
04:36 AM
THANKS RENJITH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-16-2018
05:44 AM
@jip31 , again you are accepting your own answer. If one of the answer is helpful for you, please accept it or vote for it 🙂 .
@asiddique_splunk might be able to help you!
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
07-16-2018
01:26 AM
Many thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-16-2018
01:26 AM
@jip31 ,if the above answers your question, you shall accept it or vote it 🙂
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
07-16-2018
01:05 AM
Hello i have an issue
https://www.cjoint.com/c/HGqh71VI8M0
could you help me please?
index="windows-wmi" sourcetype="WMI:CPUload" host="$field1$" OR host="$field2$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
| rex field=Name "^(?<Service>[^\/]+)[\/]"
| eval key=Service."-".host
| timechart span=10m avg(eval(if(host=="$field1$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG1
avg(eval(if(host=="$field2$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG2 BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-16-2018
07:15 AM
Did you mean to click Accept here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-14-2018
02:39 PM
Try this:
| timechart span=10m avg(eval(if(host=="$field1$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG1
avg(eval(if(host=="$field2$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG2 BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-14-2018
03:28 AM
Hi @jip31,
You need to enclose arguments of the if statement in a parenthesis like
| timechart span=10m eval(avg(if(host=="$field1$",PercentProcessorTime,NULL))) as PercentProcessorTime_AVG by host
Reference :
https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Usestatswithevalexpressionsandfunctions#Ex...
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
