Splunk Search

Is there something about a join that prevents me from doing evaluations?


I am fairly new to Splunk but I come from a background of SQL databases and I may still be trying to do things in a "relational" way...
Having said that I have two data sources. One represents test results (a list of test results) and one represents test suites (just some metadata for a set of tests like number of tests and a minimum required passing tests)

I want to be able to compute the ratio of tests that passed and compare that with a passing threshold ratio. To do this I join test results with the test summary data like this:

| where (!isnull(test_result))
| join type=inner left=L right=R where L.test_summary_id=R.test_summary_id
[search index=test_summaries]
values(L.project_short) AS project,
count(eval(L.test_result=='PASS')) as tests_passing
values(R.number_of_tests) as number_of_tests,
values(R.passing_threshold) as pass_threshold
by L.sw_release_id

The line

 count(eval(L.test_result=='PASS')) as tests_passing

always evaluates to 0 but I expect it to be the number of tests with the value "PASS" as a result for that sw_release_id.

Other searches where I am not joining two tables, I can compute the tests_passing value correctly. Is there something about a join that prevents me from doing evaluations? Should I not use a join?


Labels (2)
0 Karma


Try something like this, although it is not clear what the relationship is between test_summary_id and sw_release_id, so this may not give you what you want. (Given that test_summary_id has the same name in your left and right, you don't need to qualify the names.)

| where isnotnull(test_result)
| join test_summary_id [search index=test_summaries]
| stats
values(project_short) AS project,
count(eval(test_result=='PASS')) as tests_passing
values(number_of_tests) as number_of_tests,
values(passing_threshold) as pass_threshold
by sw_release_id


Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...