Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats count(eval) always returns zero

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2017 07:05 AM

I'm having problems with what should be a very simple query. I'm trying to get a count of events in an "unavailable" state based on ping time values.

... | eval Available=if(RTT>20,0,1) | stats count(eval Available==0) as "Unavailable"

I have multiple events with RTT values larger than 20 and all of those events have Available set to zero, stats always returns 0.

I've tried a few variations on count(eval), including Available=0 and if(Available=0,1,0), all with the same result.

Does anyone see what I've done wrong?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎06-02-2017 07:08 AM 
| eval Available=if(RTT>20,0,1) | stats count(eval(Available==0)) as "Unavailable"

you need a parenthesis between the eval and Available.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-02-2017 07:24 AM

Like this:

... | eval Available=if(RTT>20,0,1) | stats count(eval(Available==0)) AS Unavailable

Or better yet, this:

... | stats count(eval(RTT<=20)) AS Unavailable
Reply
Solved! Jump to solution

newbie2tech
Communicator
‎06-02-2017 07:10 AM

can you try
... | eval Available=if(RTT>20,0,1) | where Available=0 |stats count as "Unavailable"

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎06-02-2017 07:08 AM 
| eval Available=if(RTT>20,0,1) | stats count(eval(Available==0)) as "Unavailable"

you need a parenthesis between the eval and Available.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2017 07:27 AM

Winner!

FTR, I originally tried count(eval (Available==0)) which also failed. Removing the space after eval fixed it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎06-02-2017 07:32 AM

also, FTR, if you need to wildcard a value ever (clearly not for this search as you only have 0 and 1), it would be count(eval(like(Available,"%0%"))) as "Unavailable"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...