Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to store a result into a new field using eval?

vasavigangana
Explorer
‎04-07-2015 01:28 AM

Hai

I tried following search:

sourcetype="smaple12" OR sourcetype="sample22" OR sourcetype="sample32"  Install_Mode=SILENT | eval used_memory=Total_Memory-Available_Memory |table _time, used_memory

When I run it, Iam not getting values into the used_memory field..

My log files look like this:

sample12 file:

Interview_Time = 26 seconds,Install_Time = 0 seconds,Link_Time = 0 seconds,Configuration_Time = 0 seconds,Session_Time = 37 seconds,Operating_System = Linux,Processor_Architecture = amd64,CPU_Speed = 3.3125 GHz,CPU_Number = 1 Processors,Total_Memory = 996 MB,Available_Memory = 64 MB,Available_Swap_Space = 2015 MB,Peak_Thread_Count = 9 Threads,Oracle_Home = /home/cmc/Oracle/Middleware/Oracle_Home,Install_Mode = SILENT,Oracle Home_Size = 0.9855431318283081 GB,Installed_From =../stage/products.xml,Deinstall_Time = 0 seconds , event=Coherence

sample22:

Interview_Time = 32 seconds,Install_Time = 0 seconds,Link_Time = 0 seconds,Configuration_Time = 0 seconds,Session_Time = 32 seconds,Operating_System = Linux,Processor_Architecture = amd64,CPU_Speed = 3.432 GHz,CPU_Number = 1 Processors,Total_Memory = 947 MB,Available_Memory = 74 MB,Available_Swap_Space = 2014 MB,Peak_Thread_Count = 7 Threads,Oracle_Home = /home/cmc/Oracle/Middleware/Oracle_Home,Install_Mode = SILENT,Oracle_Home_Size = 0.954186481248 GB,Installed_From =../stage/products.xml,Deinstall_Time = 0 seconds , event=Nosql

sample32:

Interview_Time = 47 seconds,Install_Time = 0 seconds,Link_Time = 0 seconds,Configuration_Time = 0 seconds,Session_Time = 56 seconds,Operating_System = Linux,Processor_Architecture = amd64,CPU_Speed = 2.658 GHz,CPU_Number = 1 Processors,Total_Memory = 1042 MB,Available_Memory = 567 MB,Available_Swap_Space = 2012 MB,Peak_Thread_Count = 5 Threads,Oracle_Home = /home/cmc/Oracle/Middleware/Oracle_Home,Install_Mode = SILENT,Oracle_Home_Size = 0.984785789270 GB,Installed_From =../stage/products.xml,Deinstall_Time = 0 seconds , event=kazzing
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-07-2015 01:54 AM

Your field values are "123 MB". Splunk can only do arithmetics with numbers, so you'll have to get rid of that "MB" first. One soulution would be to use rex (insert before eval):

| rex field=Total_Memory "(?<Total_Memory>\d+) MB" | rex field=Available_Memory "(?<Available_Memory>\d+) MB"

This overrides your Available_Memory though; if you want to preserve it, you can rename the capturing group (but then you'll have to use the newly named fields in your search).

Another (possibly better) idea is to use the convert method to convert the field into a number, disregarding any non-numeric characters:

| convert num(Available_Memory) num(Total_Memory)

View solution in original post

Reply
Solved! Jump to solution

fdi01
Motivator
‎04-07-2015 03:39 AM

you search no working because
1- your sourcetype are log files. sourcetype="smaple12" OR sourcetype="sample22" OR sourcetype="sample32"

first index or monitor your log files before write your searchs.
note: sourcetype is no file. when you writing you search don't put sourcetype="smaple12" OR sourcetype="sample22" OR sourcetype="sample32" .
you put your index name before .
try like this:

index = "index_name" | convert num(Available_Memory) num(Total_Memory)  | eval used_memory=Total_Memory - Available_Memory + "MB" |table _time, used_memory
0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-07-2015 01:54 AM

Your field values are "123 MB". Splunk can only do arithmetics with numbers, so you'll have to get rid of that "MB" first. One soulution would be to use rex (insert before eval):

| rex field=Total_Memory "(?<Total_Memory>\d+) MB" | rex field=Available_Memory "(?<Available_Memory>\d+) MB"

This overrides your Available_Memory though; if you want to preserve it, you can rename the capturing group (but then you'll have to use the newly named fields in your search).

Another (possibly better) idea is to use the convert method to convert the field into a number, disregarding any non-numeric characters:

| convert num(Available_Memory) num(Total_Memory)
Reply
Solved! Jump to solution

vasavigangana
Explorer
‎04-07-2015 03:36 AM

Thank u jeffland its working great

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...