Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Eval with an If Statement

sahr
Path Finder
‎09-07-2017 09:11 PM

Hello,

I am trying to use and eval and if statement to calculate a percentage and I am not sure if I am doing something wrong or possible using the wrong spl or functions for this calculation.

Basically I have multiple agencies that have a total number of Splunk servers...

AGENCY ------- COUNT OF SPLUNK_SERVERS
Agency A -------- 30
Agency B --------- 20
Agency C -------- 15

Agency D -------- 12

I am using a rest spl to get the active Servers and want to divide by the absolute numbers above, so I was trying something like this

base search yields X number per Agency===we will say it's called the "count" field
|eval "Percentage of Available Servers"=if(Agency=Agency A, count/30)*100

As I researched, I know I was not doing the right thing and I know there are probably multiple ways that would be much easier so I thought I would ask for help. I have created a lookup* but not quite sure how to make it work with what I want to do*

Thanks in Advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎09-07-2017 09:21 PM

Try this:

base search yields
| stats count BY Agency
| eval Percentage_of_Available_Servers = 100 * count / case(Agency="Agency A", 30
                                                            Agency="Agency B", 20,
                                                            Agency="Agency C", 15,
                                                            Agency="Agency D", 12,
                                                            true(), 9999999999999)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...