- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Evaluating data from a field extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to use a Custom Field Extraction to get some authorization data from some logs and then trying to find a ratio between successful/unsuccessful authorizations. The data I'm trying to extract looks like this inside my logs:
... "authorized":true ...
... "authorized":false ...
I've created a custom field extraction to get the number of occurrences of "true" and "false":
(?i)".*?"authorized":(?P<AUTHORIZED>[a-z]+)(?=,)
When I run the search command:
sourcetype=test_host_console host=test_host* AUTHORIZED=* | timechart count by AUTHORIZED
I correctly obtain columns with the corresponding number of falses and trues
However, when I try to calculate a ratio between them and try to sort by host using this search command:
sourcetype=test_host_console host=test_host* AUTHORIZED=* | stats count(eval(AUTHORIZED=false)) as FALSE, count(eval(AUTHORIZED=true)) as TRUE by host | eval RATIO=FALSE/TRUE
I get all of 0's for my results. I'm not really sure what's wrong with my search command. Any help would be much appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things:
- You're using just a single = character in your
evalstatements. You should use two in string comparisons. - You're not quoting the string in your
evalstatements so what you're telling Splunk is to compare the value of the field AUTHORIZED to the value of the fields false and true, respectively. Quote the strings and things should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things:
- You're using just a single = character in your
evalstatements. You should use two in string comparisons. - You're not quoting the string in your
evalstatements so what you're telling Splunk is to compare the value of the field AUTHORIZED to the value of the fields false and true, respectively. Quote the strings and things should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, it worked!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
