Hi prachisaxena,

Tried but says "Error in 'eval' command: The arguments to the 'round' function are invalid.". What I suspect is takeing call_in_ms as something different than number, but actually if I inspect the element it says is a number.

Thanks for your reply.
Juan

Hi ,

Can you try to do isnum() or isint() and see if it gives TRUE

Hi,

Ya I did that:

 | eval result= if(isint(callDurationMS),"ok","nook") | timechart span=1d count by result

all printed is "nook", same result for isnum.
So is not detected as number but if I don't filter it and use it straight in perc25(callDurationMS) is treated as a number,or that seems so as it works, and if I inspect "Select Fields" callDurationMS sayst Type:Number, I cannot paste the image.

Rgds,
Juan

Can you send me some sample text .. let me try

Hi,

Do you mean the JSON raw data?, this is a sample:

  {  
      callDurationMS:  30000 
      callId:  c1cefd39d2cc 
      callStartTime:  2016-02-27T06:01:33.986Z 
      metricType:  CALL 
   }

My working search is:

metricType="CALL" callDurationMS > 100  |timechart span=1d  perc25(callDurationM) as "25th %" perc50(callDurationM) as "50th %" perc75(callDurationM) as "75th %" count(callDurationM)

if I add the eval parameters callDurationMS goes to null, and there is no output.

Rgds

Juan

Hi again muebel,

I did some tests and problem seems to be in the format, I have been searching around and haven't found any other case, that is very weird.
Number passed to JSON is a long, if is not used in the eval statement then can be used to perform operations and indeed it gets correct result when I do stuff like perc25.
If I modify the value with eval, then it always return null. Some examples

 eval time = timems  ---> time will be null even if timems is not. 
 eval time = if(timems>1, "ok","notok") --- > that returns an error stating '>' comparin different formats. 
 eval time=if(timems>"1",'ok","error") ---> statement is always false (in reality is not) so always would return error (timems is set to null)
 eval time=tonumber(timems)  ---> time is always null.
 convert num(timems) ----> timems is always null

Rgds,

Juan

maybe
timechart perc75(time_in_ms/1000)

Hi muebel,
thanks, I tried that also no luck.
I also figure out how to check the event type and it is a number so for some reason any operation doing to it converts it to a null value, I am starting to think that may be a bug.

rgds,
Juan

Hi muebel,

Thanks for your interest I found an example in the doc that is exactly what I want to do. But no luck, actually I tried somesoni2 suggestion and is not working either, my thoughts are that eval for some reasons I don't reach to figure out is changing the format of the variable.

This works fine

search time_in_ms | timechart perc75(time_in_ms)

so I guess time_in_ms is a number variable as I can get the percentile.

If I do the following:

search time_in_ms | eval newtime=time_in_ms | timechart perc75(newtime)

I got nothing and theoretically there would be not difference between both searches.

that's exactly what I have and the result is nothing.

value.clientCallDuration > 0 | eval duration = tonumber(value.clientCallDuration)/1000 |
timechart span=1d  perc25(duration) as "25th %" perc50(duration) as "50th %" perc75(duration) as "75th %"

but the follwoing works:

value.clientCallDuration > 0 | timechart span=1d  perc25(value.clientCallDuration) as "25th %" perc50(value.clientCallDuration) as "50th %" perc75(value.clientCallDuration) as "75th %"

I am very confused, is there a way to know what format is splunk interpreting clientCallDuration?

Many thanks,

Juan

Hi somesoni2,

thanks for your reply, I tried that but doesn't work. It seems everything touched by eval goes to null.

For example if I do that:

search value_in_ms | timechart span=1d perc25(value_in_ms)

there is no problem and works fine, I get the graph correctly. But if I do this:

search value_in_ms | eval newvalue=value_in_ms |timechart span=1d perc25(newvalue)

Then got nothing, like if the eval is messing things up....

Rgds,

Juan