Splunk Search

Evaluating data from a field extraction

anjayloo
Engager

Hi,

I'm trying to use a Custom Field Extraction to get some authorization data from some logs and then trying to find a ratio between successful/unsuccessful authorizations. The data I'm trying to extract looks like this inside my logs:

... "authorized":true ...
... "authorized":false ...

I've created a custom field extraction to get the number of occurrences of "true" and "false":

(?i)".*?"authorized":(?P<AUTHORIZED>[a-z]+)(?=,)

When I run the search command:

sourcetype=test_host_console host=test_host* AUTHORIZED=* | timechart count by AUTHORIZED

I correctly obtain columns with the corresponding number of falses and trues

However, when I try to calculate a ratio between them and try to sort by host using this search command:

sourcetype=test_host_console host=test_host* AUTHORIZED=* | stats count(eval(AUTHORIZED=false)) as FALSE, count(eval(AUTHORIZED=true)) as TRUE by host | eval RATIO=FALSE/TRUE

I get all of 0's for my results. I'm not really sure what's wrong with my search command. Any help would be much appreciated.
Thanks

0 Karma
1 Solution

Ayn
Legend

Two things:

  1. You're using just a single = character in your eval statements. You should use two in string comparisons.
  2. You're not quoting the string in your eval statements so what you're telling Splunk is to compare the value of the field AUTHORIZED to the value of the fields false and true, respectively. Quote the strings and things should work.

View solution in original post

Ayn
Legend

Two things:

  1. You're using just a single = character in your eval statements. You should use two in string comparisons.
  2. You're not quoting the string in your eval statements so what you're telling Splunk is to compare the value of the field AUTHORIZED to the value of the fields false and true, respectively. Quote the strings and things should work.

anjayloo
Engager

thanks, it worked!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...