I have been unable to add two field values and use the new value of a new column
I'm trying to take one field, multiply it by .60 then add that to another field that has been multiplied by .40. This is how I thought it would be created:
eval NewValue=(FirstValue*.60)+(SecondValue*.40)
I've verified that: | stats values(FirstValue) |
and | stats values(SecondValue) |
print out expected results
I've also verified that I am able to do |eval NewValue1=(FirstValue*.60) |
and | eval NewValue2=(SecondValue*.60)
| both yielding results. However, when I try: | eval NewValue=(FirstValue+SecondValue)
I get nothing.
Any ideas/thoughts?
Try this:
... | rex field=FirstValue mode=sed "s/^\s*// s/\s*$//"
| rex field=SecondValue mode=sed "s/^\s*// s/\s*$//"
| eval NewValue = (tonumber(FirstValue) * 0.60) + (tonumber(SecondValue) * 0.40)
| eval NewValue = FirstValue*.60
| eval NewValue = SecondValue*.40
| chart count by NewValue
| eventstats sum(count) as total
Hope this helps, please comment if you have any questions.Thanks!
I know it has been some time since you posted this, but were you able to find a solution? Or does anyone else know an answer to this? I am facing the same problem.
How did you verify the result of eval NewValue1=(FirstValue*.60)'s result? As eval doesn't printing out the result. then how can you say that you got the right result?
This is part of a much larger query. When I use table, it switches the order of the columns and displays nothing but the column not related to this part of the query. Any other thoughts/ideas?
Understood. The swap to table
in lieu of stats
was to enable testing your search in smaller chunks and see if the problem was related to stats
or not.
It doesn't make sense why this would not work. It could be a misspelling or a CamelCaseProblem. I did a simple comparison search on my Splunk test instance:
index=_internal source="*metrics.log" per_source_thruput
| eval foo=exact(kb*.60)
| eval foo2=exact(kb * .5)
| eval foo3=foo+foo2
| eval foo4=exact(kb*.60)+exact(kb*.50)
| eval error=abs(foo4-foo3)
| table kb,foo,foo2,foo3,foo4,error
This computes the value of (kb * .6) + (kb * .5)
both stepwise and as a single expression, and compares the results. There was occasionally rounding error in the least significant digit, which should be expected with floating point.
Note, however, the use of exact()
to make sure the various subexpressions were processed with floating point (instead of integer) maths.
Actually, I don't see anything obvious. Unfortunately, the answers site is somewhat messing up your comments (and your question) by taking the *
and treating it like the beginning of italics markup. 😞 But, a question - could stats be messing this up somehow? Try this instead:
eval IE_Average=(IE_Response * .60)
| eval FF_Average=(FF_Response * .40)
| eval Averages=(IE_Average)+(FF_Average)
| table IE_Response,FF_Response,IE_Average,FF_Average,Averages
Maybe a 2nd eye will help me see it. Here is that part:
eval IE_Average=(IE_Response*.60) | eval FF_Average=(FF_Response*.40) | eval Averages=(IE_Average)+(FF_Average) | stats values(IE_Response) values(FF_Response) values(IE_Average) values(FF_Average) values(Averages) by test_name
values(FF_Average) displays column fine
values(IE_Average) displays column fine
But values(Averages) displays nothing....