So i have the following SPL query:
<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total
Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.
Do you know what is wrong in this condition checking? I even took out the OR and only had the condition check for 100 and it still didn't work.
Thanks!
@djoobbani wrote:Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.
Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage. Do you mean to say if the value is 0 or 100, do not display anything in the cell? This you can achieve by
<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
[ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]
Then, 100 in count is so arbitrary. Maybe you mean to not display when percentage is 100? For this latter requirement, try
<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
[ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
"<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]
@djoobbani wrote:Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.
Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage. Do you mean to say if the value is 0 or 100, do not display anything in the cell? This you can achieve by
<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
[ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]
Then, 100 in count is so arbitrary. Maybe you mean to not display when percentage is 100? For this latter requirement, try
<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
[ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
"<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]
Yes precisely, thank you very much yuanliu for your solution!
Hi @djoobbani .. may i know what reply you get when you run without that fields removal command at the very end.. like this..
<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]
Hi inventsekar:
so basically changing the query per your request:
<basic search> | chart count by url, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [
eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]
I get this: