topic Re: substr result in Splunk Search

substr result

katouoma — Tue, 29 Sep 2020 19:18:16 GMT

Hi,

I'm trying to use substr to extract the first 4 characters of my result (perc_err_test1 & perc_err_test2), but i don't know how to do it :

... | eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
| stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
| eval perc_err_test1 = (Erreur_test1 / TOTAL) * 100 ." %" | eval perc_err_test2 = (Error_test2 / TOTAL) * 100 ." %"

Here is my result :

Re: substr result

FrankVl — Fri, 27 Apr 2018 09:32:42 GMT

What is the result you are after, based on this example? What have you tried and is not working?

I'm guessing you actually want to round the precentage, rather than taking the first 4 characters?

So: update your existing percentage calculating evals to look something like this: | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2) ." %"

PS: you might want to look at alternative ways of adding that percentage sign. E.g. using | fieldformat perc_err_test1=perc_err_test1." %" such that the original numerical values are preserved for better sorting etc.

PPS: I took the liberty of editing your question, to put the search commands as code (using that 101010 button). That makes it easier to read and also prevents some special characters like * in this case from dissapearing 🙂

Re: substr result

deepashri_123 — Tue, 29 Sep 2020 19:18:19 GMT

Hi katouoma,

Can you try using round instead:
eval perc_err_test2 = round((Error_test2 / TOTAL) 100,4) ." %"

Let me know if this helps!!

Re: substr result

TISKAR — Fri, 27 Apr 2018 10:49:57 GMT

Can you try this please:

| eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
 | stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
 | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2)."%" , perc_err_test2 =round( (Error_test2 / TOTAL) * 100,2)."%"

OR if you want use subtr command:

| eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
 | stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
 | eval perc_err_test1 =(Erreur_test1 / TOTAL) * 100,2) , perc_err_test2 =(Error_test2 / TOTAL) * 100,2) 
 | eval perc_err_test1=substr(perc_err_test1,1,5)."%", perc_err_test2=substr(perc_err_test2,1,5)."%"

Re: substr result

katouoma — Fri, 27 Apr 2018 13:39:46 GMT

Thanks a lot for your explanation, that was really helpful

Re: substr result

katouoma — Fri, 27 Apr 2018 13:42:11 GMT

Thank you @TISKAR this is exactly what i'm looking for (the first one using the "round" command)

Re: substr result

katouoma — Fri, 27 Apr 2018 13:44:58 GMT

Yeah this is the right answer but using : 100,3 rather than 100,4

Re: substr result

TISKAR — Fri, 27 Apr 2018 13:51:51 GMT

Can you up vote please to help another person

Re: substr result

katouoma — Fri, 27 Apr 2018 14:12:46 GMT

Yes but how can I do it ? (I'm new here ..)

Re: substr result

TISKAR — Fri, 27 Apr 2018 15:30:14 GMT

In left you have zero betwen two arrow clic to up vote, Thank's