Re: problem using lookup output field

changux · ‎09-09-2016

Hi all.
I have an automatic file lookup configured to output some fields and works very well (using the sourcetype):

sourcetype=datavalue *

The field from the automatic lookup is GOAL1. This field only has a integer numeric value.

Next, i tried to run:

sourcetype=datavalue ORDER=pending | stats count AS s | eval FINAL = (s * 100)/GOAL1

But the result of FINAL is not shown. If i remove the division per GOAL1, is fine (s * 100). First, i reckoned that maybe GOAL1 has some problem, but with

sourcetype=datavalue | table GOAL1

i can see the integer as unique value.

Any idea?

mhpark · ‎09-09-2016

you would like to check if your GOAL1 is really an numeric, not a string.
try

| eval GOAL1 = tonumber(GOAL1)

or something and do the math again

gcusello · ‎09-09-2016

how is your lookup done?
I tried with a lookup not automatic, but called in the search, and it's ok!
Bye?
Giuseppe

problem using lookup output field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation