Splunk Search

is eval the right choice?

mikefoti
Communicator

The query below displays accurate values for Requests, Accepted, Rejected and %Accepted.

| stats count(eval(nps_packetType=1)) AS "Requests", 
  count(eval(nps_packetType=2)) AS "Accepted", 
  count(eval(nps_packetType=3)) AS "Rejected" 
| eval %Accepted=round((Accepted/Requests*100))

How can add a code similar to below so it also calculates & displays %Rejected

| eval %Rejected=round((Rejected/Requests*100))

Also, I calculated values for Accepted and Rejected only because I believe I need them to calculate the percentages. But is there a way to NOT display values for Accepted & Rejected?
Seems the syntax for EVAL requires I use "AS" which then seems to assume I want the values displayed.

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Yes, you can add the fields command at the end of the query;

... | fields - Rejected, Accepted

Hope this helps,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

Yes, you can add the fields command at the end of the query;

... | fields - Rejected, Accepted

Hope this helps,

Kristian

mikefoti
Communicator

It all works perfectly now that I do |fields at the right place. Thanks both for your help!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Using "%" in a field name could cause problems in some places, though you can deal with it by enclosing the field name with single quotes. In this case, it's not a problem.

0 Karma

kristian_kolb
Ultra Champion

yep, I could have been a bit clearer on that.

Also, I've never used '%' as part of a field name, could that be causing trouble, need quoting/escaping or something like that?

/k

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

kristian.kolb's suggestion works just fine. simply make sure you do | fields after both evals.

0 Karma

mikefoti
Communicator

Unfortunately that does not work because both "eval %Accepted" and "eval $Rejected" need what is piped from the STATS function.

0 Karma

kristian_kolb
Ultra Champion

You need to have a pipe between the evals.

...| stats blaha | eval x=y/z | eval q=w/e

/k

0 Karma

mikefoti
Communicator

No. Trying to simply append this line to the end of the working query does not work.
... eval %Rejected=round((Rejected/Requests*100))

For example, the below fails because of the last EVAL statement.

| stats count(eval(nps_packetType=1)) AS "Requests",
count(eval(nps_packetType=2)) AS "Accepted",
count(eval(nps_packetType=3)) AS "Rejected"
| eval %Accepted=round((Accepted/Requests*100))
eval %Rejected=round((Rejected/Requests*100))

0 Karma

kristian_kolb
Ultra Champion

I thought you just had all that in one query, i.e. the stats and the two eval statements. Did it not work?

/k

0 Karma

mikefoti
Communicator

Thanks Kristian. That answers the 2nd portion of the question. Any idea on the first... how to display %Rejected along with %Accepted??

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...