Solved: Convert a string with percentage sign to a number ...

charanramireddy · ‎10-05-2017

Hello,

I have this query to alert me when percentage_q_full reaches greater than certain number

eval alert=case((PERCENT_Q_FULL>90), "Critical", (PERCENT_Q_FULL>80), "Warning", true(), "N/A")

but all the column values of alert shows as N/A because PERCENT_Q_FULL has values in percentage. These values are being extracted using multikv.

PERCENT_Q_FULL
95.00%
3.12%
5.13%
0.00%
100.00%

How do I convert it so that alert column shows me critical vs warning ?

Thank you.

s2_splunk · ‎10-05-2017

Add | convert rmunit(PERCENT_Q_FULL) before your existing eval to remove the trailing unit character(s).

From the search reference manual:

rmunit()
Syntax: rmunit()
Description: Looks for numbers at the beginning of the value and removes trailing text. You can use wild card characters in the field name.

View solution in original post

s2_splunk · ‎10-05-2017

Add | convert rmunit(PERCENT_Q_FULL) before your existing eval to remove the trailing unit character(s).

From the search reference manual:

rmunit()
Syntax: rmunit()
Description: Looks for numbers at the beginning of the value and removes trailing text. You can use wild card characters in the field name.

charanramireddy · ‎10-05-2017

thank you. This works.

Convert a string with percentage sign to a number so it can be evaluated?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?