Eval with an If Statement

sahr · ‎09-07-2017

Hello,

I am trying to use and eval and if statement to calculate a percentage and I am not sure if I am doing something wrong or possible using the wrong spl or functions for this calculation.

Basically I have multiple agencies that have a total number of Splunk servers...

AGENCY ------- COUNT OF SPLUNK_SERVERS
Agency A -------- 30
Agency B --------- 20
Agency C -------- 15

Agency D -------- 12

I am using a rest spl to get the active Servers and want to divide by the absolute numbers above, so I was trying something like this

base search yields X number per Agency===we will say it's called the "count" field
|eval "Percentage of Available Servers"=if(Agency=Agency A, count/30)*100

As I researched, I know I was not doing the right thing and I know there are probably multiple ways that would be much easier so I thought I would ask for help. I have created a lookup* but not quite sure how to make it work with what I want to do*

Thanks in Advance.

woodcock · ‎09-07-2017

Try this:

base search yields
| stats count BY Agency
| eval Percentage_of_Available_Servers = 100 * count / case(Agency="Agency A", 30
                                                            Agency="Agency B", 20,
                                                            Agency="Agency C", 15,
                                                            Agency="Agency D", 12,
                                                            true(), 9999999999999)

Eval with an If Statement

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms