Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there something about a join that prevents me from doing evaluations?

laduran
Explorer
‎08-05-2022 12:47 PM

I am fairly new to Splunk but I come from a background of SQL databases and I may still be trying to do things in a "relational" way...
Having said that I have two data sources. One represents test results (a list of test results) and one represents test suites (just some metadata for a set of tests like number of tests and a minimum required passing tests)

I want to be able to compute the ratio of tests that passed and compare that with a passing threshold ratio. To do this I join test results with the test summary data like this:

index=test_results
| where (!isnull(test_result))
| join type=inner left=L right=R where L.test_summary_id=R.test_summary_id
[search index=test_summaries]
|stats
values(L.project_short) AS project,
count(eval(L.test_result=='PASS')) as tests_passing
count,
values(R.number_of_tests) as number_of_tests,
values(R.passing_threshold) as pass_threshold
by L.sw_release_id



The line

 count(eval(L.test_result=='PASS')) as tests_passing


always evaluates to 0 but I expect it to be the number of tests with the value "PASS" as a result for that sw_release_id.

Other searches where I am not joining two tables, I can compute the tests_passing value correctly. Is there something about a join that prevents me from doing evaluations? Should I not use a join?

Thanks...


Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-05-2022 02:14 PM

Try something like this, although it is not clear what the relationship is between test_summary_id and sw_release_id, so this may not give you what you want. (Given that test_summary_id has the same name in your left and right, you don't need to qualify the names.)

index=test_results
| where isnotnull(test_result)
| join test_summary_id [search index=test_summaries]
| stats
values(project_short) AS project,
count(eval(test_result=='PASS')) as tests_passing
count,
values(number_of_tests) as number_of_tests,
values(passing_threshold) as pass_threshold
by sw_release_id

 

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...