Splunk Search

Why doesn't my if clause work completely?

djoobbani
Path Finder

So i have the following SPL query:

<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")] | fields - percent_* total

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Screen Shot 2022-08-18 at 3.37.33 PM.png

Do you know what is wrong in this condition checking? I even took out the OR and only had the condition check for 100 and it still didn't work.

Thanks!

 

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

@djoobbani wrote:

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage.  Do you mean to say if the value is 0 or 100, do not display anything in the cell?  This you can achieve by

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

 Then, 100 in count is so arbitrary.  Maybe you mean to not display when percentage is 100?  For this latter requirement, try

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

  

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

@djoobbani wrote:

Basically this is supposed to NOT display the percentage if it's 0 OR 100. However, running this query is still displaying 100% numbers.

Your SPL is working precisely as written: when the value is 0 or 100, it displays the value itself (i.e., 0 or 100; that is what '<<FIELD>>' gives), not value + percentage.  Do you mean to say if the value is 0 or 100, do not display anything in the cell?  This you can achieve by

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

 Then, 100 in count is so arbitrary.  Maybe you mean to not display when percentage is 100?  For this latter requirement, try

<basic search>
| chart count by url, http_status_code
| addtotals fieldname=total
| foreach 2* 3* 4* 5*
  [ eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),
    "<<FIELD>>"=if('<<FIELD>>'=0 OR 'percent_<<FIELD>>'=100, null(), '<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

  

djoobbani
Path Finder

Yes precisely, thank you very much yuanliu for your solution!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @djoobbani .. may i know what reply you get when you run without that fields removal command at the very end.. like this..

<basic search> | chart count by path_template, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

djoobbani
Path Finder

Hi inventsekar:

so basically changing the query per your request:

<basic search> | chart count by url, http_status_code | addtotals fieldname=total | foreach 2* 3* 4* 5* [
eval "percent_<<FIELD>>"=round(100*'<<FIELD>>'/total,2),"<<FIELD>>"=if('<<FIELD>>'=0 OR '<<FIELD>>'=100, '<<FIELD>>','<<FIELD>>'." (".'percent_<<FIELD>>'."%)")]

I get this:

Screen Shot 2022-08-18 at 4.48.21 PM.png

 

 

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...