Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What am I doing wrong in either my stats, append or eval because I keep getting a blank field?

brood85
Engager
‎01-09-2013 10:11 AM

I am very new to Splunk (as in this is my 3rd day using it) and am having some issues understanding what I am doing wrong.

 specific.server
    | stats dc(userID) as totalUsers
    | append [search specific.server AND "text" | stats count(field) as variableA]
    | eval variableB = exact(variableA/totalUsers)
    | stats sum(totalUsers), sum(variableA), sum(variableB)

Now when this runs sum(totalUsers) and sum(variableA) shows up correctly however sum(variableB) always shows up as a blank field. I have tried many different ways and none of them have worked.

Now I will explain the way I am understanding what I wrote.

  1. First I am counting the number of individual users on a specific server and putting that number as a variable named totalUsers.
  2. I am doing another search and in that search I count how many times a certain field occurs on that specific server and place that value into variableA
  3. I then create a new variable called variableB and evaluate that to be variableA/totalUsers
  4. This then is displayed with the sum of each individual variables totalUsers, variableA, variableB

Please explain to me what I am understanding incorrectly and if at all possible how to achieve what I am trying to do or at least point me in the right direction.

Thanks

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎01-10-2013 11:26 PM

First, you don't want append, you want appendcols. When you use append, you will end up with multiple events - you want all these results in a single event.

Second, you need to time-constrain your inner search, else it runs over all time. I have done that by using addinfo to collect the time parameters of the outer search, and then apply them to the inner search.

Finally, I don't think you need the final stats command, either.

specific.server
| stats dc(userID) as totalUsers
| appendcols [ search specific.server AND "text" 
      addinfo | where _time >= info_min_time AND _time <=info_max_time
      | stats count(field) as variableA ]
| eval variableB = exact(variableA/totalUsers)
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...