Hi,
I'm trying to use a Custom Field Extraction to get some authorization data from some logs and then trying to find a ratio between successful/unsuccessful authorizations. The data I'm trying to extract looks like this inside my logs:
... "authorized":true ...
... "authorized":false ...
I've created a custom field extraction to get the number of occurrences of "true" and "false":
(?i)".*?"authorized":(?P<AUTHORIZED>[a-z]+)(?=,)
When I run the search command:
sourcetype=test_host_console host=test_host* AUTHORIZED=* | timechart count by AUTHORIZED
I correctly obtain columns with the corresponding number of falses and trues
However, when I try to calculate a ratio between them and try to sort by host using this search command:
sourcetype=test_host_console host=test_host* AUTHORIZED=* | stats count(eval(AUTHORIZED=false)) as FALSE, count(eval(AUTHORIZED=true)) as TRUE by host | eval RATIO=FALSE/TRUE
I get all of 0's for my results. I'm not really sure what's wrong with my search command. Any help would be much appreciated.
Thanks
Two things:
eval
statements. You should use two in string comparisons.eval
statements so what you're telling Splunk is to compare the value of the field AUTHORIZED to the value of the fields false and true, respectively. Quote the strings and things should work.Two things:
eval
statements. You should use two in string comparisons.eval
statements so what you're telling Splunk is to compare the value of the field AUTHORIZED to the value of the fields false and true, respectively. Quote the strings and things should work.thanks, it worked!