vadimg
Reputation: 11
Splunk query returns 0 after using eval function
Query return 0 value for eval calculation.
index=* platform=PC browser_name=chrome OR browser_name=edge OR browser_name=safari | stats count(eval(player_event="play")) AS Play count(eval(error_event_type="vsf")) AS VSF count(eval((Play / VSF))) AS Rate by browser_name
I would expect this query return % rate of eval counts and display a timechart
Upvotes: 1
Views: 685
Answers (1)
RichG
Reputation: 9926
The Rate field cannot be calculated because Play and VSF are still being computed. Try breaking Rate into a separate eval command.
index=* platform=PC browser_name=chrome OR browser_name=edge OR browser_name=safari
| stats count(eval(player_event="play")) AS Play count(eval(error_event_type="vsf")) AS VSF by browser_name
| eval Rate=round(Play / VSF, 3)
This query cannot display a timechart because there is no _time field in the results. To get an hourly timechart, try this. Change span=1h to something else if you want a different time period in the chart.
index=* platform=PC browser_name=chrome OR browser_name=edge OR browser_name=safari
| bucket span=1h _time
| stats count(eval(player_event="play")) AS Play count(eval(error_event_type="vsf")) AS VSF by time, browser_name
| eval Rate=round(Play / VSF, 3)
| timechart span=1h values(Rate) as Rate
Upvotes: 0
Related Questions
- Extract data from splunk
- Splunk: Entry looks like an array but can't be accessed as one
- How to use Splunk functions in the query
- Splunk field extractor unable to extract all values
- Assign Nested Value to Variable in Splunk
- Eval command vs eval expression
- Splunk: Assigning variables
- How to reference an eval variable in query
- Splunk Cloud search query with variable does not return results
- Splunk query do not return value for both columns together