11/16/2023 0 Comments Splunk eval maxIf the value in the name field is "baz", then "foo" is returned. Splunk searches use lexicographical order, where numbers are sorted before letters. The following example returns either "foo" or the value in the name field. This function takes one or more numeric or string values, and returns the maximum. | eval c=avg("somedata", 2, 3) max() Description However, the following example returns an error because the string argument is specified directly within the function. The following example creates a field called a with value somedata, and a field called c with value 2.5. To use a quoted string as a number within the function, you must convert the number to an integer, as shown in the following example where c=2:Įxample 3: In this example, a field with a value that is a string results in a field called a with value 1, and a field called c with value 2,Įxample 4: When an argument is a field, the eval command retrieves the value and attempts to treat it as a number, even if it is a string. However, the following example returns an error because one of the arguments in the function is a string. | eval a = 5.0, b = "9", x = avg(a, b, c)Įxample 2: The following example calculates the average of three numbers and returns c=2. A field is not created for c and it is not included in the total because a value was not declared for that argument. You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.Įxample 1: The following example creates a field called a with value 5.0, a field called b with value 9, and a field called x with value 7 that is the average of a and b. To get the numerical average or mean of the values of two fields, x and y, note that avg(x,y) is equivalent to sum(x,y)/(mvcount(x) + mvcount(y)). The eval command ignores arguments that don't exist in an event or can't be converted to a number. When the function is applied to a multivalue field, each numeric value of the field is included in the total. At least one numeric argument is required. Each argument must be either a field (single or multivalue) or an expression that evaluates to a number. This function takes one or more values and returns the average of numerical values as an integer. In addition to these functions, there is a comprehensive set of statistical functions that you can use with the stats, chart, and related commands. ![]() ![]() The following list contains the evaluation functions that you can use to calculate statistics.įor information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |