Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is '"foreach" ingoring some columns in the calculation?

HeinzWaescher
Motivator
‎03-22-2017 04:23 AM

Hi,

I'm trying to calculate the ratio for all columns of a table compared to a specific column. So in the example below, just divide every column by colA. For some reason this does not work for all columns (colD is wrong), do you have any idea why?

When I decide to write the calculated values into new columns instead of replacing them, it works alt text

Thanks in advance

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-22-2017 07:42 AM

Because you have modified colA in the middle of the work: try this:

... | eval _colA = colA | foreach * [eval <<FIELD>> = round('<<FIELD>>'/_colA*100,2)]

Fields that begin with underscores have several peculiarities, in particular these 2:
They are not shown on the 'Statisticstab (except fortime),
They are not included in wildcards for fields (which is why you need to do things likeindex=* OR index=*`).

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-22-2017 07:42 AM

Because you have modified colA in the middle of the work: try this:

... | eval _colA = colA | foreach * [eval <<FIELD>> = round('<<FIELD>>'/_colA*100,2)]

Fields that begin with underscores have several peculiarities, in particular these 2:
They are not shown on the 'Statisticstab (except fortime),
They are not included in wildcards for fields (which is why you need to do things likeindex=* OR index=*`).

Reply
Solved! Jump to solution

helge
Builder
‎09-11-2018 03:46 PM

That remark about fields whose names begin with underscores not being included in wildcards for fields is a life-saver. Is that documented anywhere?

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎03-22-2017 04:51 AM

seems like it could be a bug to report. it looks like it's taking the replaced colA as the divisor and then multiplying by 100, leaving it with the initial value. I don't know why colB and colC aren't doing it as well, though.

to test, try creating a new column (colADup, or something) and do: |eval colADup=colA|foreach * [eval <<FIELD>>=round('<<FIELD>>'/colADup*100,2)]|fields - colADup

Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎03-22-2017 05:24 AM

Creating a colADup column and using it in foreach works as well. I don't get it 🙂

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎03-22-2017 05:39 AM

I think it's using the new '100' in colA in your original syntax when calculating colD, I'm just not sure why it doesn't do that for colB or colC.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...