Splunk Search

Why doesn't my if clause work completely?

djoobbani
Path Finder

So i have the following SPL query:

<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Screen Shot 2022-08-18 at 3.37.33 PM.png

Do you know what is wrong in this condition checking? I even took out the OR and only had the condition check for 100 and it still didn't work.

Thanks!

 

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

@djoobbani wrote:

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage.  Do you mean to say if the value is 0 or 100, do not display anything in the cell?  This you can achieve by

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

 Then, 100 in count is so arbitrary.  Maybe you mean to not display when percentage is 100?  For this latter requirement, try

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

  

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

@djoobbani wrote:

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage.  Do you mean to say if the value is 0 or 100, do not display anything in the cell?  This you can achieve by

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

 Then, 100 in count is so arbitrary.  Maybe you mean to not display when percentage is 100?  For this latter requirement, try

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

  

djoobbani
Path Finder

Yes precisely, thank you very much yuanliu for your solution!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @djoobbani .. may i know what reply you get when you run without that fields removal command at the very end.. like this..

<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

djoobbani
Path Finder

Hi inventsekar:

so basically changing the query per your request:

<basic search> | chart count by url, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [
eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

I get this:

Screen Shot 2022-08-18 at 4.48.21 PM.png

 

 

0 Karma
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...