Solved: stats count(eval) always returns zero

richgalloway · ‎06-02-2017

I'm having problems with what should be a very simple query. I'm trying to get a count of events in an "unavailable" state based on ping time values.

... | eval Available=if(RTT>20,0,1) | stats count(eval Available==0) as "Unavailable"

I have multiple events with RTT values larger than 20 and all of those events have Available set to zero, stats always returns 0.

I've tried a few variations on count(eval), including Available=0 and if(Available=0,1,0), all with the same result.

Does anyone see what I've done wrong?

---
If this reply helps you, Karma would be appreciated.

cmerriman · ‎06-02-2017

| eval Available=if(RTT>20,0,1) | stats count(eval(Available==0)) as "Unavailable"

you need a parenthesis between the eval and Available.

View solution in original post

woodcock · ‎06-02-2017

Like this:

... | eval Available=if(RTT>20,0,1) | stats count(eval(Available==0)) AS Unavailable

Or better yet, this:

... | stats count(eval(RTT<=20)) AS Unavailable

newbie2tech · ‎06-02-2017

can you try
... | eval Available=if(RTT>20,0,1) | where Available=0 |stats count as "Unavailable"

cmerriman · ‎06-02-2017

| eval Available=if(RTT>20,0,1) | stats count(eval(Available==0)) as "Unavailable"

you need a parenthesis between the eval and Available.

richgalloway · ‎06-02-2017

Winner!

FTR, I originally tried count(eval (Available==0)) which also failed. Removing the space after eval fixed it.

---
If this reply helps you, Karma would be appreciated.

cmerriman · ‎06-02-2017

also, FTR, if you need to wildcard a value ever (clearly not for this search as you only have 0 and 1), it would be count(eval(like(Available,"%0%"))) as "Unavailable"

stats count(eval) always returns zero

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms