Eval with an If Statement

sahr · ‎09-07-2017

Hello,

I am trying to use and eval and if statement to calculate a percentage and I am not sure if I am doing something wrong or possible using the wrong spl or functions for this calculation.

Basically I have multiple agencies that have a total number of Splunk servers...

AGENCY ------- COUNT OF SPLUNK_SERVERS
Agency A -------- 30
Agency B --------- 20
Agency C -------- 15

Agency D -------- 12

I am using a rest spl to get the active Servers and want to divide by the absolute numbers above, so I was trying something like this

base search yields X number per Agency===we will say it's called the "count" field
|eval "Percentage of Available Servers"=if(Agency=Agency A, count/30)*100

As I researched, I know I was not doing the right thing and I know there are probably multiple ways that would be much easier so I thought I would ask for help. I have created a lookup* but not quite sure how to make it work with what I want to do*

Thanks in Advance.

woodcock · ‎09-07-2017

Try this:

base search yields
| stats count BY Agency
| eval Percentage_of_Available_Servers = 100 * count / case(Agency="Agency A", 30
                                                            Agency="Agency B", 20,
                                                            Agency="Agency C", 15,
                                                            Agency="Agency D", 12,
                                                            true(), 9999999999999)

Eval with an If Statement

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!