I have a field PP that I would like to use in eval statement to get a percentage from JSON data and using spath.
Here is the search:
index=main sourcetype=knowbe4 | head 1 | spath input=_raw path="{}.name" output=Campaign | spath input=_raw path="{}.status" output=Status | spath input=_raw path="{}.started_at" output=Started | spath input=_raw path="{}.duration" output=Duration | spath input=_raw path="{}.scheduled_count" output=Recipients | spath input=_raw path="{}.delivered_count" output=Delivered | spath input=_raw path="{}.clicked_count" output=Clicked | spath input=_raw path="{}.attachment_open_count" output="AttachOpen" | spath input=_raw path="{}.reported_count" output=Reported | spath input=_raw path="{}.phish_prone_percentage" output=PP| convert num(PP) as PPP | eval perc=(PP * 100) | table Campaign Status Started Duration Recipients Delivered Clicked "Attachment Open" Reported PP perc PPP
I have values for PP and PPP but no value (null) for perc.
Table results:
Campaign Status Started Duration Recipients Delivered Clicked AttachOpen Reported PP perc PPP
2018 W-2 Active 2/13/18 4 1657 1401 141 0 140 .17 .17
Try changing | eval perc=(PP * 100)
to | eval perc=(PPP*100)
in your query.
@bwindham - Are you able to share any info on your KnowBe4 Splunk config? Is there a prebuilt app from KnowBe4 or did you build the API input script yourself?
Thank you for your time,
Scott
bwindham - I'm curious on how you are getting your knowbe4 data into Splunk?
We are new knowbe4 customers and wanted to know if its work ingesting the data into Splunk.
thanks,
Dan
Try changing | eval perc=(PP * 100)
to | eval perc=(PPP*100)
in your query.
yep, typo on my part
@bwindham, after correcting the fieldname if your issue is resolved, then kindly accept the answer to mark this question as answered!