Splunk Search

Why doesn't my if clause work completely?

djoobbani
Path Finder

So i have the following SPL query:

<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Screen Shot 2022-08-18 at 3.37.33 PM.png

Do you know what is wrong in this condition checking? I even took out the OR and only had the condition check for 100 and it still didn't work.

Thanks!

 

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

@djoobbani wrote:

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage.  Do you mean to say if the value is 0 or 100, do not display anything in the cell?  This you can achieve by

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

 Then, 100 in count is so arbitrary.  Maybe you mean to not display when percentage is 100?  For this latter requirement, try

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

  

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

@djoobbani wrote:

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage.  Do you mean to say if the value is 0 or 100, do not display anything in the cell?  This you can achieve by

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

 Then, 100 in count is so arbitrary.  Maybe you mean to not display when percentage is 100?  For this latter requirement, try

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

  

djoobbani
Path Finder

Yes precisely, thank you very much yuanliu for your solution!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @djoobbani .. may i know what reply you get when you run without that fields removal command at the very end.. like this..

<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

djoobbani
Path Finder

Hi inventsekar:

so basically changing the query per your request:

<basic search> | chart count by url, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [
eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

I get this:

Screen Shot 2022-08-18 at 4.48.21 PM.png

 

 

0 Karma
Get Updates on the Splunk Community!

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...