For example, the following search has different precision for 0.2 in each of the calculations based on the number of zeros following the number 2: The precision of the results can be no greater than the precision of the least-precise input. Results are rounded to a precision appropriate to the precision of the input results. Division by zero results in a null field. The special values for positive and negative infinity are represented in your results as "inf" and "-inf" respectively. If the calculation results in the floating-point special value NaN(Not a Number), it is represented as "nan" in your results. If you are using a search as an argument to the eval command and functions, you cannot use a saved search name you must pass a literal search string or a field that contains a literal search string (like the 'search' field extracted from index=_audit events).ĭuring calculations, numbers are treated as double-precision floating-point numbers, subject to all the usual behaviors of floating point numbers. However you can convert booleans and nulls to strings using the tostring() function, which can be assigned to fields.
Numbers and strings can be assigned to fields, while booleans cannot be assigned. If the field name that you specify matches an existing field name, the values in the existing field are replaced by the results of the eval expression. You can specify a name for a new field or for an existing field. You must specify a field name for the results that are returned from your eval command expression. The eval command is a distributable streaming command. For example, if the string you want to use is server- you specify the string like this new="server-".host. * If the expression references a literal string, that string needs to be surrounded by double quotation marks.
For example, if the field name is server-1 you specify the field name like this new=count+'server-1'. * If the expression references a field name that contains non-alphanumeric characters, other than the underscore ( _ ) character, the field name needs to be surrounded by single quotation marks. * If, at search time, the expression cannot be evaluated successfully for a given event, the eval command erases the resulting field. * The result of an eval expression cannot be a Boolean. The syntax of the eval expression is checked before running the search, and an exception is thrown for an invalid expression. expression Syntax: Description: A combination of values, variables, operators, and functions that will be executed to determine the value to place in your destination field. If the field name already exists in your events, eval overwrites the value. Mirror over on Medium.Required arguments field Syntax: Description: A destination field name for the resulting calculated value. And if you wanted to learn more about Splunk Lab, you can visit the project page on GitHub: That’s all I have for this post–I just wanted to show a quick and simple use of makeresults, as it’s been one of my favorite commands for quite some time. Finally, we have a diff which shows us the difference between those two averages as of each event. Next we have the average of our field as of each event, and you can see it is all over the place early on, and eventually closes in on average. Now we have a nice timechart that shows the average of that field over the entire set of events, which is a flat line. | timechart span=1s avg(avgstreamsum) as avg_stream_sum avg(diff) as diff avg(avgeventsum) as avgeventsum | eval diff=abs(avgeventsum - avgstreamsum)
| streamstats avg(newval) as avgstreamsum
0 kommentar(er)
