Splunk Search

Calculated values showing wrong results. I have the search string attached, what am I doign wrong, here

rajendra_b
New Member
source =/opt/data/splunkLogs/order_transaction.log | eval TotalOrders=if(match(OrderStatus,"In Progress"),count,0) | eval CompOrders=if(match(OrderStatus,"Complete"),count,0) | eval ErrOrders=if(match(OrderStatus,"In Error"),count,0) | eval InProgOrders=(TotalOrders - CompOrders - ErrOrders)

I want to calculate these values from the events:
Total Orders = All orders with In progress status.
Complete Orders = All orders with Complete status.
Orders in Error = All orders with In Error status.
Inpogress Orders = TotalOrders - CompleteOrders - InErrorOrders

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi rajendra_b,

use either eval TotalOrders=if(match(OrderStatus,"In Progress"),count,"0")
or eval TotalOrders=if(match(OrderStatus,"In Progress"),count,null())

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi rajendra_b,

use either eval TotalOrders=if(match(OrderStatus,"In Progress"),count,"0")
or eval TotalOrders=if(match(OrderStatus,"In Progress"),count,null())

Hope this helps ...

cheers, MuS

rajendra_b
New Member

Thanks for responding. I modified it like below and it works now. However when I use this in Pie chart the values are only displayed when you hover the mouse on it, I want it to display on the panel as well. How can we do that.

source =/opt/data/splunkLogs/order_transaction.log | dedup OrderId | stats count(eval(OrderStatus="In Progress")) AS InProgOrders, count(eval(OrderStatus="Complete")) AS CompOrders, count(eval(OrderStatus="In Error")) AS ErrOrders | eval TotalOrders=(InProgOrders + CompOrders + ErrOrders) | table TotalOrders, CompOrders, InProgOrders, ErrOrders
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi, this is indeed possible if you use some tricks 😉

Take a look at this answer http://answers.splunk.com/answers/91517/displaying-count-as-label-in-pie-graph.html or at this app https://apps.splunk.com/app/1161/

cheers, MuS

0 Karma

rajendra_b
New Member

MuS,
Thanks a lot for the suggestions. The Percentage is being displayed, however the count is not. I am trying different ways to render the count. Here is my query just in case.

source =/opt/data/splunkLogs/order_transaction.log | dedup OrderId | stats count(eval(OrderStatus="In Progress")) AS InProgress, count(eval(OrderStatus="Complete")) AS Complete, count(eval(OrderStatus="In Error")) AS Error |  transpose 
0 Karma

rajendra_b
New Member

Finally this works. Thank you all for the help. This displays the count as well.

source =/opt/data/splunkLogs/order_transaction.log | dedup OrderId | top OrderStatus | eval OrderStatus=OrderStatus." :".count

Used this to display percentage in the XML as provided earlier.

<option name="charting.chart.showPercent">true</option>
0 Karma

ramdaspr
Contributor

You can only show percentages along with labels but not the counts

    <option name="charting.chart.showPercent">true</option>
0 Karma

rajendra_b
New Member

Thanks a lot for the help Ramdaspr. The Percentage works.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...