Splunk Search

substr result

katouoma
New Member

Hi,

I'm trying to use substr to extract the first 4 characters of my result (perc_err_test1 & perc_err_test2), but i don't know how to do it :

... | eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
| stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
| eval perc_err_test1 = (Erreur_test1 / TOTAL) * 100 ." %" | eval perc_err_test2 = (Error_test2 / TOTAL) * 100 ." %"

Here is my result :
alt text

0 Karma
1 Solution

FrankVl
Ultra Champion

What is the result you are after, based on this example? What have you tried and is not working?

I'm guessing you actually want to round the precentage, rather than taking the first 4 characters?

So: update your existing percentage calculating evals to look something like this: | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2) ." %"

PS: you might want to look at alternative ways of adding that percentage sign. E.g. using | fieldformat perc_err_test1=perc_err_test1." %" such that the original numerical values are preserved for better sorting etc.

PPS: I took the liberty of editing your question, to put the search commands as code (using that 101010 button). That makes it easier to read and also prevents some special characters like * in this case from dissapearing 🙂

View solution in original post

0 Karma

TISKAR
Builder

Can you try this please:

| eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
 | stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
 | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2)."%" , perc_err_test2 =round( (Error_test2 / TOTAL) * 100,2)."%" 

OR if you want use subtr command:

| eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
 | stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
 | eval perc_err_test1 =(Erreur_test1 / TOTAL) * 100,2) , perc_err_test2 =(Error_test2 / TOTAL) * 100,2) 
 | eval perc_err_test1=substr(perc_err_test1,1,5)."%", perc_err_test2=substr(perc_err_test2,1,5)."%"

katouoma
New Member

Thank you @TISKAR this is exactly what i'm looking for (the first one using the "round" command)

0 Karma

TISKAR
Builder

Can you up vote please to help another person

0 Karma

katouoma
New Member

Yes but how can I do it ? (I'm new here ..)

0 Karma

TISKAR
Builder

In left you have zero betwen two arrow clic to up vote, Thank's

0 Karma

deepashri_123
Motivator

Hi katouoma,

Can you try using round instead:
eval perc_err_test2 = round((Error_test2 / TOTAL) 100,4) ." %"

Let me know if this helps!!

0 Karma

katouoma
New Member

Yeah this is the right answer but using : 100,3 rather than 100,4

0 Karma

FrankVl
Ultra Champion

What is the result you are after, based on this example? What have you tried and is not working?

I'm guessing you actually want to round the precentage, rather than taking the first 4 characters?

So: update your existing percentage calculating evals to look something like this: | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2) ." %"

PS: you might want to look at alternative ways of adding that percentage sign. E.g. using | fieldformat perc_err_test1=perc_err_test1." %" such that the original numerical values are preserved for better sorting etc.

PPS: I took the liberty of editing your question, to put the search commands as code (using that 101010 button). That makes it easier to read and also prevents some special characters like * in this case from dissapearing 🙂

0 Karma

katouoma
New Member

Thanks a lot for your explanation, that was really helpful

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...