Dividing Field by a Number in stats

yinon_nadav · ‎12-13-2012

Hi,

How do I divide a field by a number.

I want to divide Att.Duration by 100 and use the new field in the stats section as an average

i tried this:
eval YearDuration=(Att.Duration/100) | stats avg(YearDuration) by Event.SubCT

and this:
stats avg(Att.Duration) as "Avg. Duration (min)" eval(avg(Att.Duration)/100) as YearDuration by Event.SubCT

When I'm not getting an error I get blank column..

Thanks!

lguinn2 · ‎12-13-2012

I think the problem is that Att.Duration is not a valid field name. Field names should contain letters, numbers and underscores only. The name must start with a letter.

I have noticed that Spunk will allow invalid field names in some places, but not in most commands.

lguinn2 · ‎12-14-2012

Yes, that is what I mean. It may be a valid JSON field, but it is not a valid Splunk field name. Some commands (like stats) are not picky. The eval command will not accept an invalid field name, because "." is a valid operator to eval.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...

for more info

yinon_nadav · ‎12-13-2012

Thanks, but this is a valid field (this is the JSON reference for a field) the field Att.Duration will return values in the stats clause, but when trying (with Att.Duration or any other field) to use it in evel I'm not getting any value.

thanks!

Dividing Field by a Number in stats

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?