Splunk Search

Why doesn't my if clause work completely?

djoobbani
Path Finder

So i have the following SPL query:

<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Screen Shot 2022-08-18 at 3.37.33 PM.png

Do you know what is wrong in this condition checking? I even took out the OR and only had the condition check for 100 and it still didn't work.

Thanks!

 

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

@djoobbani wrote:

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage.  Do you mean to say if the value is 0 or 100, do not display anything in the cell?  This you can achieve by

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

 Then, 100 in count is so arbitrary.  Maybe you mean to not display when percentage is 100?  For this latter requirement, try

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

  

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

@djoobbani wrote:

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage.  Do you mean to say if the value is 0 or 100, do not display anything in the cell?  This you can achieve by

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

 Then, 100 in count is so arbitrary.  Maybe you mean to not display when percentage is 100?  For this latter requirement, try

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

  

djoobbani
Path Finder

Yes precisely, thank you very much yuanliu for your solution!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @djoobbani .. may i know what reply you get when you run without that fields removal command at the very end.. like this..

<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

djoobbani
Path Finder

Hi inventsekar:

so basically changing the query per your request:

<basic search> | chart count by url, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [
eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

I get this:

Screen Shot 2022-08-18 at 4.48.21 PM.png

 

 

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...