Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there something about a join that prevents me from doing evaluations?

laduran
Explorer
‎08-05-2022 12:47 PM

I am fairly new to Splunk but I come from a background of SQL databases and I may still be trying to do things in a "relational" way...
Having said that I have two data sources. One represents test results (a list of test results) and one represents test suites (just some metadata for a set of tests like number of tests and a minimum required passing tests)

I want to be able to compute the ratio of tests that passed and compare that with a passing threshold ratio. To do this I join test results with the test summary data like this:

index=test_results
| where (!isnull(test_result))
| join type=inner left=L right=R where L.test_summary_id=R.test_summary_id
[search index=test_summaries]
|stats
values(L.project_short) AS project,
count(eval(L.test_result=='PASS')) as tests_passing
count,
values(R.number_of_tests) as number_of_tests,
values(R.passing_threshold) as pass_threshold
by L.sw_release_id



The line

 count(eval(L.test_result=='PASS')) as tests_passing


always evaluates to 0 but I expect it to be the number of tests with the value "PASS" as a result for that sw_release_id.

Other searches where I am not joining two tables, I can compute the tests_passing value correctly. Is there something about a join that prevents me from doing evaluations? Should I not use a join?

Thanks...


Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-05-2022 02:14 PM

Try something like this, although it is not clear what the relationship is between test_summary_id and sw_release_id, so this may not give you what you want. (Given that test_summary_id has the same name in your left and right, you don't need to qualify the names.)

index=test_results
| where isnotnull(test_result)
| join test_summary_id [search index=test_summaries]
| stats
values(project_short) AS project,
count(eval(test_result=='PASS')) as tests_passing
count,
values(number_of_tests) as number_of_tests,
values(passing_threshold) as pass_threshold
by sw_release_id

 

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...