Solved: Re: how to show fields conditionally in search

djoobbani · ‎12-07-2022

Dear Splunk Community:

I have the following search query:

<Basic_Search> | chart count by path_template, http_status_code | addtotals fieldname=total
| foreach 2* 3* 4* 5* [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
"<<FIELD>>"=if('<<FIELD>>'=0 , '<<FIELD>>', '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total 2* 3* 4*

Attached is the screen result of the above query which shows the 500s columns.

I need to modify the above search so that it only displays the numbers where the percentage is great than 0.01%. How do i do that?

Thanks!

bowesmana · ‎12-07-2022

Change the foreach statement to do this

    [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
        "<<FIELD>>"=case('<<FIELD>>'=0 , '<<FIELD>>', 'percent_<<FIELD>>'>0.01, '<<FIELD>>'." (".'percent_<<FIELD>>'."%)", true(), null())]

i.e the percentage threshold of 0.01 or above will allow the value to be shown, otherwise it will clear it

View solution in original post

bowesmana · ‎12-07-2022

Change the foreach statement to do this

    [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
        "<<FIELD>>"=case('<<FIELD>>'=0 , '<<FIELD>>', 'percent_<<FIELD>>'>0.01, '<<FIELD>>'." (".'percent_<<FIELD>>'."%)", true(), null())]

i.e the percentage threshold of 0.01 or above will allow the value to be shown, otherwise it will clear it

djoobbani · ‎12-07-2022

Thank you!

djoobbani · ‎12-07-2022

You rock, thanks this works!

How to show fields conditionally in search?

chart

eval

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...