Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use eval on results of a search?

nsaravan
New Member
‎05-10-2014 04:02 PM

Let us say I have 5 unique fields in my logs (var1 thru var5), I would like to first find the mean of the individual fields ( avg(var*) ) and store them in a new field, say "avg_var". Then, I would like to get the difference of max(avg_var) and min(avg_var).

The following search provides me a table of the 1st part, but then I don't know how to get the min and max of the 5 unique fields.

sourcetype="src" var* | stats avg(var*) BY unitNo

result:

unitNo, avg(var1), avg(var2), avg(var3), avg(var4), avg(var5)

1, 12, 32, 63, 13, 45

..
..

Any help would be very much appreciated.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-10-2014 04:36 PM

You can do this:

sourcetype="src" var* | stats avg(var*) as avg_var* BY unitNo | stats range(avg_var*) as range_var*

range() effectively computes max()-min() in one step. You should get one row with five columns as a result.

Edit: Search to compute range per row rather than per column:

sourcetype="src" var*
| stats avg(var*) as avg_var* BY unitNo
| foreach avg_var* [eval max = max(max, <<FIELD>>) | eval min = min(min, <<FIELD>>)]
| eval range = max - min
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-11-2014 09:32 AM

Great. I've added the updated search to the answer so you can mark it as solved.

0 Karma
Reply

nsaravan
New Member
‎05-11-2014 09:13 AM

It worked! Thank you so much.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-11-2014 04:22 AM

I see... something like this?

sourcetype="src" var*
| stats avg(var*) as avg_var* BY unitNo
| foreach avg_var* [eval max = max(max, <<FIELD>>) | eval min = min(min, <<FIELD>>)]
| eval range = max - min

The foreach will compute the max and min values, and the final eval will return range=51 for the example row. Requires Splunk 6 to work.

0 Karma
Reply

nsaravan
New Member
‎05-10-2014 07:47 PM

Thanks for the response. Your solution computes the range for each column and provides it in a row. However, I am looking to get the range for 5 variables for which I have the average. In my above example, the answer I was looking for is 63 - 12 = 51. Any suggestions on how to convert the individual fields as one field so that I can compute the range?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...