Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is fieldformat not working if I don't include a certain value in the table?

danoconnl
Explorer
‎09-15-2016 07:50 AM

here is my search, I'm trying to create a report that shows the error count, error percentage, and total transaction count...

| dedup TransactionID | stats count As ErrorCount by TransactionName  | appendcols [search Message="Calling ProcessRequest" | stats count as TotalTransactionCount by TransactionName ]|eval ErrorPerc= if (isnull(ErrorCount), 0, ErrorCount/TotalTransactionCount) | fieldformat ErrorPercentage = tostring(round(ErrorPerc,6)*100)."%" | Table TransactionName  ErrorPercentage ErrorCount ErrorPerc TotalTransactionCount | fillnull value=0 | sort -ErrorCount

If I don't include ErrorPerc in the table, ErrorPercentage shows up as null. I really don't want ErrorPerc in there since it's less readable and a duplicate of ErrorPercentage

Dan

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-15-2016 09:26 AM

Try this

| dedup TransactionID | stats count As ErrorCount by TransactionName | appendcols [search Message="Calling ProcessRequest" | stats count as TotalTransactionCount by TransactionName ]|eval ErrorPercentage = if (isnull(ErrorCount), 0, ErrorCount/TotalTransactionCount) | fieldformat ErrorPercentage=tostring(round(ErrorPercentage,6)*100)."%" | Table TransactionName ErrorPercentage ErrorCount TotalTransactionCount | fillnull value=0 | sort -ErrorCount

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-15-2016 09:26 AM

Try this

| dedup TransactionID | stats count As ErrorCount by TransactionName | appendcols [search Message="Calling ProcessRequest" | stats count as TotalTransactionCount by TransactionName ]|eval ErrorPercentage = if (isnull(ErrorCount), 0, ErrorCount/TotalTransactionCount) | fieldformat ErrorPercentage=tostring(round(ErrorPercentage,6)*100)."%" | Table TransactionName ErrorPercentage ErrorCount TotalTransactionCount | fillnull value=0 | sort -ErrorCount
0 Karma
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...