Solved: Re: help on eval

jip31 · ‎07-14-2018

hello
i try to use the code below but everytimes i have an issue of quote or parenthesis even if i do modifications:

| timechart span=10m eval(avg(if host=="$field1$",PercentProcessorTime,NULL)) as PercentProcessorTime_AVG by host 
OR eval(avg(if host=="$field2$",PercentProcessorTime,NULL)) as PercentProcessorTime_AVG by host

could you help me please

renjith_nair · ‎07-16-2018

Hi @jip31 ,
If you want to do a timechart based on host, you could simply do it by

     index="windows-wmi" sourcetype="WMI:CPUload"  host="$field1$" OR host="$field2$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
      | rex field=Name "^(?<Service>[^\/]+)[\/]" 
      | eval key=Service."-".host 
      | timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime BY host

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎07-16-2018

Hi @jip31 ,
If you want to do a timechart based on host, you could simply do it by

     index="windows-wmi" sourcetype="WMI:CPUload"  host="$field1$" OR host="$field2$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
      | rex field=Name "^(?<Service>[^\/]+)[\/]" 
      | eval key=Service."-".host 
      | timechart span=10m avg(PercentProcessorTime) as PercentProcessorTime BY host

---
What goes around comes around. If it helps, hit it with Karma 🙂

jip31 · ‎07-16-2018

THANKS RENJITH

renjith_nair · ‎07-16-2018

@jip31 , again you are accepting your own answer. If one of the answer is helpful for you, please accept it or vote for it 🙂 .
@asiddique_splunk might be able to help you!

---
What goes around comes around. If it helps, hit it with Karma 🙂

jip31 · ‎07-16-2018

Many thanks!

renjith_nair · ‎07-16-2018

@jip31 ,if the above answers your question, you shall accept it or vote it 🙂

---
What goes around comes around. If it helps, hit it with Karma 🙂

jip31 · ‎07-16-2018

Hello i have an issue
https://www.cjoint.com/c/HGqh71VI8M0
could you help me please?

index="windows-wmi" sourcetype="WMI:CPUload"  host="$field1$" OR host="$field2$" (Name="mfetp/*" OR Name="mcshield/*") Name=$Service$
 | rex field=Name "^(?<Service>[^\/]+)[\/]" 
 | eval key=Service."-".host 
 | timechart span=10m avg(eval(if(host=="$field1$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG1
                    avg(eval(if(host=="$field2$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG2 BY host

woodcock · ‎07-16-2018

Did you mean to click Accept here?

woodcock · ‎07-14-2018

Try this:

| timechart span=10m avg(eval(if(host=="$field1$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG1
                     avg(eval(if(host=="$field2$", PercentProcessorTime, null()))) AS PercentProcessorTime_AVG2 BY host

renjith_nair · ‎07-14-2018

Hi @jip31,

You need to enclose arguments of the if statement in a parenthesis like

| timechart span=10m eval(avg(if(host=="$field1$",PercentProcessorTime,NULL))) as PercentProcessorTime_AVG by host

Reference :
https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Usestatswithevalexpressionsandfunctions#Ex...

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval#2._Use_the_if_function_to_ana...

---
What goes around comes around. If it helps, hit it with Karma 🙂

help on eval

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Data Management Digest – January 2026

Splunk SOAR Now Available on Google Cloud Platform

Join the Conversation

help on eval

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Data Management Digest – January 2026

Splunk SOAR Now Available on Google Cloud Platform