Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't evaluate expression in query over multiple files

rjahrling
New Member
‎02-04-2014 12:08 PM

Here's my query in Search:

host=kpidata source="*avail*" | eval Time = _time | eval days_in_month = round((relative_time(_time,"@mon+1mon")-relative_time(_time,"@mon"))/86400) | convert rmunit("Achieved Average") as unsched_num | convert rmunit("Operational Average") as total_num | eval unsched_downtime = days_in_month * (100 - unsched_num) | eval total_downtime = days_in_month * (100 - total_num) | timechart max(total_downtime) max(unsched_downtime)

...and it works great. I am pulling Operational Average and Achieved Average out of the files as text ("98.7%"), converting them to numbers (98.7), and using them in calculations without difficulty. The calculation for days_in_month is returning correct values. The results for the query appear correct, and the graphs correspond to existing graphs.

But.

I want to be able to calculate a value called sched_downtime:

eval sched_downtime = total_downtime - unsched_downtime

When I add that to the query (before the timechart, of course), no values are returned. I'm not sure I understand what's going on. I can say sched_downtime = total_downtime and data appears; I can say sched_downtime = total_downtime + 3 and data appears. I can do the same, manipulating unsched_downtime alone. But if I try to use the two downtime stats together...nothing.

I tried skipping the intermediate *_downtime calculations entirely, but that didn't make a difference either. It looks like if I try to use both the unscheduled and total numbers in a single eval, there will be no results--but no errors, either, at least not that I can see.

"Operational Average" and "Achieved Average" are fields in separate files. Does that matter? What have I done wrong? How can I get the value for sched_downtime?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-04-2014 12:24 PM

Since "Operational Average" and "Achieved Average" are fields in separate files, they both don't appear in the same event/row when you're calculating your total_downtime and "unsched_downtime". If in your current query, your remove the timechart part and added below, your will get data like this.

Query to replace timechart

| table _time, total_downtime, unsched_downtime

Results

_time   total_downtime      unsched_downtime 
............................................
timestamp1   total_downtime1  NULL/Blank
timestamp1    NULL/Blank      unsched_downtime1
....
...

Because of one of them will NULL for every event, the "|eval sched_downtime = total_downtime - unsched_downtime" returns nothing.

One workaround here, assuming you want to do timechart daily (your can change it per your need), try following.

host=kpidata source="*avail*" | eval Time = _time | eval days_in_month = round((relative_time(_time,"@mon+1mon")-relative_time(_time,"@mon"))/86400) | convert rmunit("Achieved Average") as unsched_num | convert rmunit("Operational Average") as total_num | eval unsched_downtime = days_in_month * (100 - unsched_num) | eval total_downtime = days_in_month * (100 - total_num) | bucket span=1d _time | stats max(total_downtime) as total_downtime, max(unsched_downtime) as unsched_downtime by _time |eval sched_downtime = total_downtime - unsched_downtime | timechart max(total_downtime) max(unsched_downtime) max(sched_downtime)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-04-2014 12:24 PM

Since "Operational Average" and "Achieved Average" are fields in separate files, they both don't appear in the same event/row when you're calculating your total_downtime and "unsched_downtime". If in your current query, your remove the timechart part and added below, your will get data like this.

Query to replace timechart

| table _time, total_downtime, unsched_downtime

Results

_time   total_downtime      unsched_downtime 
............................................
timestamp1   total_downtime1  NULL/Blank
timestamp1    NULL/Blank      unsched_downtime1
....
...

Because of one of them will NULL for every event, the "|eval sched_downtime = total_downtime - unsched_downtime" returns nothing.

One workaround here, assuming you want to do timechart daily (your can change it per your need), try following.

host=kpidata source="*avail*" | eval Time = _time | eval days_in_month = round((relative_time(_time,"@mon+1mon")-relative_time(_time,"@mon"))/86400) | convert rmunit("Achieved Average") as unsched_num | convert rmunit("Operational Average") as total_num | eval unsched_downtime = days_in_month * (100 - unsched_num) | eval total_downtime = days_in_month * (100 - total_num) | bucket span=1d _time | stats max(total_downtime) as total_downtime, max(unsched_downtime) as unsched_downtime by _time |eval sched_downtime = total_downtime - unsched_downtime | timechart max(total_downtime) max(unsched_downtime) max(sched_downtime)
Reply
Solved! Jump to solution

rjahrling
New Member
‎02-04-2014 01:11 PM

Thanks! Adding the stats clause worked. I appreciate your help.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎02-04-2014 12:39 PM

oops, one should not watch TV while editing answers. 🙂

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...