Splunk Search

How to create eval statement to get percentage from 2 fields extracted with spath on JSON data?

bwindham
Path Finder

I have a field PP that I would like to use in eval statement to get a percentage from JSON data and using spath.

Here is the search:

index=main sourcetype=knowbe4 | head 1 | spath input=_raw path="{}.name" output=Campaign | spath input=_raw path="{}.status" output=Status | spath input=_raw path="{}.started_at" output=Started | spath input=_raw path="{}.duration" output=Duration | spath input=_raw path="{}.scheduled_count" output=Recipients | spath input=_raw path="{}.delivered_count" output=Delivered | spath input=_raw path="{}.clicked_count" output=Clicked | spath input=_raw path="{}.attachment_open_count" output="AttachOpen" | spath input=_raw path="{}.reported_count" output=Reported | spath input=_raw path="{}.phish_prone_percentage" output=PP| convert num(PP) as PPP | eval perc=(PP * 100) |  table Campaign Status Started Duration Recipients Delivered Clicked "Attachment Open" Reported PP perc PPP

I have values for PP and PPP but no value (null) for perc.

Table results:

Campaign  Status  Started   Duration  Recipients  Delivered  Clicked  AttachOpen  Reported   PP   perc   PPP
2018 W-2   Active   2/13/18     4             1657            1401           141           0                     140         .17              .17
0 Karma
1 Solution

somesoni2
Revered Legend

Try changing | eval perc=(PP * 100) to | eval perc=(PPP*100) in your query.

View solution in original post

0 Karma

s33butler
New Member

@bwindham - Are you able to share any info on your KnowBe4 Splunk config? Is there a prebuilt app from KnowBe4 or did you build the API input script yourself?

Thank you for your time,
Scott

0 Karma

dacosta123
Explorer

bwindham - I'm curious on how you are getting your knowbe4 data into Splunk?

We are new knowbe4 customers and wanted to know if its work ingesting the data into Splunk.

thanks,

Dan

0 Karma

somesoni2
Revered Legend

Try changing | eval perc=(PP * 100) to | eval perc=(PPP*100) in your query.

View solution in original post

0 Karma

bwindham
Path Finder

yep, typo on my part

0 Karma

niketnilay
Legend

@bwindham, after correcting the fieldname if your issue is resolved, then kindly accept the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!