Solved: Re: Problem with Count and Eval losing fields

rachelneal · ‎09-12-2011

Here is my search:

source="/usr/local/logs/request/request.log" Supplier="LO" OR Supplier="AL" Type=
"Availability"| stats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel | eval percentage=round(100-(NoAvail/Availability*100)) | table Supplier, Hotel, Availabilty, NoAvail, percentage

How do I keep Supplier values throughout the pipes? How do I get percentage to display? I literally copied that one from a search example online yet the values of percentage never display. What am I missing?

acdevlin · ‎09-12-2011

The problem is the stats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel pipe. After this section, you will only have the "Availability", "NoAvail", and "Hotel" fields as they will be the only things displayed in the Stats output.

Luckily, there's an easy workaround. You can use Eventstats instead of Stats to keep all your other fields (including Supplier). So the full query will look like

source="/usr/local/logs/request/request.log" Supplier="LO" OR Supplier="AL" Type= "Availability"| eventstats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel | eval percentage=round(100-(NoAvail/Availability*100)) | table Supplier, Hotel, Availabilty, NoAvail, percentage

Does this solve your problem?

View solution in original post

acdevlin · ‎09-12-2011

The problem is the stats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel pipe. After this section, you will only have the "Availability", "NoAvail", and "Hotel" fields as they will be the only things displayed in the Stats output.

Luckily, there's an easy workaround. You can use Eventstats instead of Stats to keep all your other fields (including Supplier). So the full query will look like

source="/usr/local/logs/request/request.log" Supplier="LO" OR Supplier="AL" Type= "Availability"| eventstats count AS Availabilty, count(eval(Result="NORATE")) AS NoAvail BY Hotel | eval percentage=round(100-(NoAvail/Availability*100)) | table Supplier, Hotel, Availabilty, NoAvail, percentage

Does this solve your problem?

rachelneal · ‎09-12-2011

lol got it! too bad I can't check that answer too!

acdevlin · ‎09-12-2011

That would do it!

There should be a small check sign just under the vote up/vote down arrows for my answer. Clicking that check should accept it.

rachelneal · ‎09-12-2011

Ah ha. The check in the field list clued me in. All because of a typo. Thank you thank you. I was looking all over for the "accept" link or to uprate you but I don't see those links here. I'm in Chrome...hmmm I definitely want to give you your props and credit. 🙂

acdevlin · ‎09-12-2011

Any time.

If there are values in "percentage" and you can see it in the field list, you might want to try using something other than Table to display your results. You could try using Stats instead.

If there are no values in the field, there may be something wrong with the way you're calculating percentage. As a blind guess, you could try taking out the "round" and see what happens...

Also, think you could "accept" this answer if it helped you out? 🙂

rachelneal · ‎09-12-2011

Sweet!! That gave me Supplier back. Thank you! Any suggestions on getting percentage to display?

Problem with Count and Eval losing fields

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases