Solved: Re: substr result

katouoma · ‎04-27-2018

Hi,

I'm trying to use substr to extract the first 4 characters of my result (perc_err_test1 & perc_err_test2), but i don't know how to do it :

... | eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
| stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
| eval perc_err_test1 = (Erreur_test1 / TOTAL) * 100 ." %" | eval perc_err_test2 = (Error_test2 / TOTAL) * 100 ." %"

Here is my result :

FrankVl · ‎04-27-2018

What is the result you are after, based on this example? What have you tried and is not working?

I'm guessing you actually want to round the precentage, rather than taking the first 4 characters?

So: update your existing percentage calculating evals to look something like this: | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2) ." %"

PS: you might want to look at alternative ways of adding that percentage sign. E.g. using | fieldformat perc_err_test1=perc_err_test1." %" such that the original numerical values are preserved for better sorting etc.

PPS: I took the liberty of editing your question, to put the search commands as code (using that 101010 button). That makes it easier to read and also prevents some special characters like * in this case from dissapearing 🙂

View solution in original post

TISKAR · ‎04-27-2018

Can you try this please:

| eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
 | stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
 | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2)."%" , perc_err_test2 =round( (Error_test2 / TOTAL) * 100,2)."%"

OR if you want use subtr command:

| eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
 | stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
 | eval perc_err_test1 =(Erreur_test1 / TOTAL) * 100,2) , perc_err_test2 =(Error_test2 / TOTAL) * 100,2) 
 | eval perc_err_test1=substr(perc_err_test1,1,5)."%", perc_err_test2=substr(perc_err_test2,1,5)."%"

katouoma · ‎04-27-2018

Thank you @TISKAR this is exactly what i'm looking for (the first one using the "round" command)

TISKAR · ‎04-27-2018

Can you up vote please to help another person

katouoma · ‎04-27-2018

Yes but how can I do it ? (I'm new here ..)

TISKAR · ‎04-27-2018

In left you have zero betwen two arrow clic to up vote, Thank's

deepashri_123 · ‎04-27-2018

Hi katouoma,

Can you try using round instead:
eval perc_err_test2 = round((Error_test2 / TOTAL) 100,4) ." %"

Let me know if this helps!!

katouoma · ‎04-27-2018

Yeah this is the right answer but using : 100,3 rather than 100,4

FrankVl · ‎04-27-2018

What is the result you are after, based on this example? What have you tried and is not working?

I'm guessing you actually want to round the precentage, rather than taking the first 4 characters?

So: update your existing percentage calculating evals to look something like this: | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2) ." %"

PS: you might want to look at alternative ways of adding that percentage sign. E.g. using | fieldformat perc_err_test1=perc_err_test1." %" such that the original numerical values are preserved for better sorting etc.

PPS: I took the liberty of editing your question, to put the search commands as code (using that 101010 button). That makes it easier to read and also prevents some special characters like * in this case from dissapearing 🙂

katouoma · ‎04-27-2018

Thanks a lot for your explanation, that was really helpful

substr result

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk