Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add if clause in a foreach eval [ statement for the following query?

djoobbani
Path Finder
‎08-18-2022 01:20 PM

Dear splunk community:

I have the following search query which basically shows the number of counts and percentage of url (Y-Axis) http status code (X-Axis):

<basic search> | chart count by url, http_status_code | addtotals fieldname=total
| foreach 2* 3* 4* 5* [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total), "<<FIELD>>"='<<FIELD>>'." (".'percent_<<FIELD>>'."%)" ] | fields - percent_* total

Here is a sample of the above query result:

Screen Shot 2022-08-18 at 1.14.23 PM.png

Now, i need to insert an if clause so that if the percentage is either 0 OR 100, then do NOT display the percentage. How would i do that to the above query to get this result?

Thank you very much for your help!

 

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2022 01:32 PM

Untested, but perhaps this will do.

| foreach 2* 3* 4* 5* [ 
  eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")
  ] |
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2022 01:32 PM

Untested, but perhaps this will do.

| foreach 2* 3* 4* 5* [ 
  eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")
  ] |
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

djoobbani
Path Finder
‎08-18-2022 02:02 PM

Thanks richgalloway for your quick reply.

This worked half-way. So now i don't see any 0% percent anymore, but it still shows 100%.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...