Splunk Search

stats count(eval) always returns zero

richgalloway
SplunkTrust
SplunkTrust

I'm having problems with what should be a very simple query. I'm trying to get a count of events in an "unavailable" state based on ping time values.

... | eval Available=if(RTT>20,0,1) | stats count(eval Available==0) as "Unavailable"

I have multiple events with RTT values larger than 20 and all of those events have Available set to zero, stats always returns 0.

I've tried a few variations on count(eval), including Available=0 and if(Available=0,1,0), all with the same result.

Does anyone see what I've done wrong?

---
If this reply helps you, Karma would be appreciated.
0 Karma
1 Solution

cmerriman
Super Champion
| eval Available=if(RTT>20,0,1) | stats count(eval(Available==0)) as "Unavailable"

you need a parenthesis between the eval and Available.

View solution in original post

woodcock
Esteemed Legend

Like this:

... | eval Available=if(RTT>20,0,1) | stats count(eval(Available==0)) AS Unavailable

Or better yet, this:

... | stats count(eval(RTT<=20)) AS Unavailable

newbie2tech
Communicator

can you try
... | eval Available=if(RTT>20,0,1) | where Available=0 |stats count as "Unavailable"

0 Karma

cmerriman
Super Champion
| eval Available=if(RTT>20,0,1) | stats count(eval(Available==0)) as "Unavailable"

you need a parenthesis between the eval and Available.

richgalloway
SplunkTrust
SplunkTrust

Winner!

FTR, I originally tried count(eval (Available==0)) which also failed. Removing the space after eval fixed it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

cmerriman
Super Champion

also, FTR, if you need to wildcard a value ever (clearly not for this search as you only have 0 and 1), it would be count(eval(like(Available,"%0%"))) as "Unavailable"

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...