Solved: eval command after stats command not working

jvmerilla · ‎11-26-2017

Hi,

I'm having a problem with this search:

index="pcmm" "Technical Proficiency"!=NA 
| stats count("Resource Name") as count by "Technical Proficiency"
| eval count = count
| appendpipe
    [stats sum(count) as Total]
| eval Total = Total
| eval "Proficiency Composition" = tostring((count/Total)*100,"commas")."%"

What I'm trying to do here is to use the eval command to make a calculation with the "count" and "Total" field and put the result in the new field named "Proficiency Composition". But it seems that the eval command doesn't work since the result does not return the new field.

Here's the result when I run the query:

What could be the problem here?

Thanks in advance!

kamlesh_vaghela · ‎11-26-2017

Hi
Can you please try this one ?

index="pcmm" "Technical Proficiency"!=NA 
| stats count("Resource Name") as count by "Technical Proficiency"
| eventstats sum(count) as Total
| eval "Proficiency Composition" = tostring((count/Total)*100,"commas")."%"

Happy Splunking

View solution in original post

kamlesh_vaghela · ‎11-26-2017

Hi
Can you please try this one ?

index="pcmm" "Technical Proficiency"!=NA 
| stats count("Resource Name") as count by "Technical Proficiency"
| eventstats sum(count) as Total
| eval "Proficiency Composition" = tostring((count/Total)*100,"commas")."%"

Happy Splunking

jvmerilla · ‎11-26-2017

Hi,

It works! 🙂

Thanks!

But you can explain to me how this works and why my search query doesn't?

kamlesh_vaghela · ‎11-26-2017

Hi @jvmerilla,

Yes,

1) In your search, you mentioned | eval count = count, actually it does not make any sense. Bcoz It is assigning the same value to same field (count = count).

2) | appendpipe [stats sum(count) as Total], this will create a new row with Total column. So I have replaced it with | eventstats sum(count) as Total.

3) | eval Total = Total, again same, assigning the same value to same field

4) | eval "Proficiency Composition" = tostring((count/Total)*100,"commas")."%" , this will work if Total field is available for all rows. due to (2nd) reason. The replacement will give you Total field for all rows and your eval works well.

I hope this will help you.

!!! Happy Splunking !!!

jvmerilla · ‎11-26-2017

Hi @kamlesh_vaghela,

Thanks for the clarification!

I get it now.

Thank you again! 🙂

niketn · ‎11-26-2017

@jvmerilla, any reason for going after string format for comma separation on a percent field? Do you think your percent value can shoot up/down by 1000% or more which might show it as 1,000%?

| eval "Proficiency Composition" = tostring((count/Total)*100,"commas")."%"

Normally, we round off using round() function to digits of precision based on our needs:

| eval "Proficiency Composition" = round((count/Total)*100,2)."%"

Above rounds the percent to 2 digits of precision and adds % after the value.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jvmerilla · ‎11-26-2017

Hi @niketnilay,
Yes, you're right. I should have use the round() instead of tostring().
The only reason I used tostring() was because I thought I need to make the value a string first before I can add the %.
But I realized that I was wrong about that.
Thank you! 🙂

kamlesh_vaghela · ‎11-26-2017

@niketnilay. Agreed.

kamlesh_vaghela · ‎11-26-2017

Hi @jvmerilla,

Glad to help you. Please upvote my comments which help you.

🙂

eval command after stats command not working

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!