Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regarding eval operations on the fields having special characters

sudhir_norway
Engager
‎04-25-2022 01:49 AM

I wanted to add this chaining command with my search and display total of the values under fields(columns) "a-b-1"  and "a-b-2" and give the total results as total_requests 

eval total_requests=a-b-1+a-b-2

where "a-b-1" and "a-b-2" is the field1 and field2 which i want to add using '+' operator

I have tried putting fields in double quotes and single quotes but unfortunately  it is not working.

I can do it by renaming the fields but can someone suggest someway to do without renaming it.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-25-2022 02:30 AM

Here is a runanywhere example showing the syntax working.

| makeresults
| eval _raw="
Time	a-b-1	a-b-2	Total_requests
0:00	2	3	5
0:10	4	6	10
0:20	8	10	18"
| multikv forceheader=1
| rename a_b_1 as "a-b-1" a_b_2 as "a-b-2"
| fields Time "a-b-1" "a-b-2"
| fields - _raw _time
``` the lines above set up example data as posted ```
| eval Total_requests='a-b-1'+'a-b-2'

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-25-2022 01:55 AM

Is this what you mean?

| eval total_requests='a-b-1'+'a-b-2'
0 Karma
Reply
Solved! Jump to solution

sudhir_norway
Engager
‎04-25-2022 01:58 AM

Yes but its not working as expected

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-25-2022 02:01 AM

Can you give an example of when it is not giving the expected result? Also, is this happening for every event or just some of them?

0 Karma
Reply
Solved! Jump to solution

sudhir_norway
Engager
‎04-25-2022 02:21 AM

| timechart span=10m count by host |rename a-b-1 as a1 |rename a-b-2 as a2 |eval total_requests=a1+a2

Above works as expected and chart displays with total_requests correctly

But when i tried 

| timechart span=5m count by host |eval total_requests=a-b-1+a-b-2 then it dont work(I tried keeping both in single quotes and double quotes but didnt worked).Its not displaying the total

Below is the sample data and what i am looking for

Timea-b-1a-b-2Total_requests
0:00235
0:104610
0:2081018

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-25-2022 02:30 AM

Here is a runanywhere example showing the syntax working.

| makeresults
| eval _raw="
Time	a-b-1	a-b-2	Total_requests
0:00	2	3	5
0:10	4	6	10
0:20	8	10	18"
| multikv forceheader=1
| rename a_b_1 as "a-b-1" a_b_2 as "a-b-2"
| fields Time "a-b-1" "a-b-2"
| fields - _raw _time
``` the lines above set up example data as posted ```
| eval Total_requests='a-b-1'+'a-b-2'
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...