For some reason the following isn't working:
index="sandbox" sourcetype="as-cdr" |stats count AS numCalls
|append [search index="sandbox" sourcetype="as-cdr" Termination_Cause="016"|stats count AS numCallsSuccessful]
|eval callSuccRate=numCallsSuccessful/numCalls
|table callSuccRate
When running the searches separately I get 134 for numCalls, and 90 for numCallsSuccessful. However when I try to evaluate them and print it to a table I get no results found. Can anyone shed some light on what I'm doing wrong?
You would be much better off running:
index=sandbox sourcetype=as-cdr
| stats
count as numCalls
count(eval(Termination_Cause=="016")) as numCallsSuccessful
| eval callSuccRate = numCallsSuccessful/numCalls
| table callSuccRate
If your data set is very large, the subsearch will probably run into time limits. With Splunk it is generally a good idea to search the data set and retrieve data just once if possible, rather than running multiple searches or subsearches (particularly if they retrieve the same data or a subset of data).
Hi splunkers!
I have to filter all the results of this field since 04/12/2018 until 04/12/2019 but when I do this search, it doesn't work , it comes results since from 2006!
I have tried using date time picker , but its still not working too.
How am I supposed to search? Do I have to use eval or another specific command?
Query:
index="db_archer2" earliest=-8760h latest=now()
| fields "Nome do Projeto"
| dedup "Nome do Projeto"
| eval Hoje= now()
| eval Hoje= now()-8760
| convert ctime(Hoje) ctime()
| stats dc
PS: The result was supposed to be 25 events.
Thanks!!
Hi splunkers!
I have to filter all the results of this field since 04/12/2018 until 04/12/2019 but when I do this search, it doesn't work , it comes results since from 2006!
I have tried using date time picker , but its still not working too.
How am I supposed to search? Do I have to use eval or another specific command?
Thank you friends.
![a
You would be much better off running:
index=sandbox sourcetype=as-cdr
| stats
count as numCalls
count(eval(Termination_Cause=="016")) as numCallsSuccessful
| eval callSuccRate = numCallsSuccessful/numCalls
| table callSuccRate
If your data set is very large, the subsearch will probably run into time limits. With Splunk it is generally a good idea to search the data set and retrieve data just once if possible, rather than running multiple searches or subsearches (particularly if they retrieve the same data or a subset of data).
That actually fixed my issue, AND its a good pointer. Now I have to go and revisit some prior items I had done before 🙂 Thanks!
I should note I have a few reports I need to generate that use basically this same syntax. Its simple; and I can't quite figure out why its failing. Strangely I have a more complicated search that is working just fine.