Solved: How to edit my search so the eval function to work...

mtrochym · ‎01-05-2017

I am looking to find the errorpercentage of ERROR_CODES vs the number of "ACTIVITY="logins" per division (we have 4 of them) in a timechart. Below is my current search, which works well for only one division. You will notice that my count(eval is excluding two specific errorcodes.)

index=something ERROR_CODE="*" ACTIVITY="*" division=NY
|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search
| eval ErrorPercent= round(((EC)/Search)*100) |fields - Search - EC

This works great to show me the "ErrorPercent" for one division but when I try adding 'by division' into my timechart (like this)

|timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search by division

I only end up with fields "EC: division" & "Search: division" per division. The search doesn't seem to go further and show me the "ErrorPercent" field per division.

Any help would be appreciated.

Thanks.

somesoni2 · ‎01-05-2017

Give this a try

index=something ERROR_CODE="*" ACTIVITY="*" division=*
 |timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search by division
| foreach EC* [eval "ErrorPercent<<MATCHSTR>>"= round((('<<FIELD>>')/'Search<<MATCHSTR>>')*100) ] |fields - Search* - EC*

View solution in original post

somesoni2 · ‎01-05-2017

Give this a try

index=something ERROR_CODE="*" ACTIVITY="*" division=*
 |timechart count(eval(ERROR_CODE!="N/A" AND ERROR_CODE!="900")) as EC , count(eval(ACTIVITY="logins")) as Search by division
| foreach EC* [eval "ErrorPercent<<MATCHSTR>>"= round((('<<FIELD>>')/'Search<<MATCHSTR>>')*100) ] |fields - Search* - EC*

mtrochym · ‎01-06-2017

That worked! Thank you so much!!

How to edit my search so the eval function to work in a timechart?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life