Hello,
I am trying to use and eval and if statement to calculate a percentage and I am not sure if I am doing something wrong or possible using the wrong spl or functions for this calculation.
Basically I have multiple agencies that have a total number of Splunk servers...
AGENCY ------- COUNT OF SPLUNK_SERVERS
Agency A -------- 30
Agency B --------- 20
Agency C -------- 15
Agency D -------- 12
I am using a rest spl to get the active Servers and want to divide by the absolute numbers above, so I was trying something like this
base search yields X number per Agency===we will say it's called the "count" field
|eval "Percentage of Available Servers"=if(Agency=Agency A, count/30)*100
As I researched, I know I was not doing the right thing and I know there are probably multiple ways that would be much easier so I thought I would ask for help. I have created a lookup* but not quite sure how to make it work with what I want to do*
Thanks in Advance.
Try this:
base search yields
| stats count BY Agency
| eval Percentage_of_Available_Servers = 100 * count / case(Agency="Agency A", 30
Agency="Agency B", 20,
Agency="Agency C", 15,
Agency="Agency D", 12,
true(), 9999999999999)