Splunk Search

substr result

katouoma
New Member

Hi,

I'm trying to use substr to extract the first 4 characters of my result (perc_err_test1 & perc_err_test2), but i don't know how to do it :

... | eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
| stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
| eval perc_err_test1 = (Erreur_test1 / TOTAL) * 100 ." %" | eval perc_err_test2 = (Error_test2 / TOTAL) * 100 ." %"

Here is my result :
alt text

0 Karma
1 Solution

FrankVl
Ultra Champion

What is the result you are after, based on this example? What have you tried and is not working?

I'm guessing you actually want to round the precentage, rather than taking the first 4 characters?

So: update your existing percentage calculating evals to look something like this: | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2) ." %"

PS: you might want to look at alternative ways of adding that percentage sign. E.g. using | fieldformat perc_err_test1=perc_err_test1." %" such that the original numerical values are preserved for better sorting etc.

PPS: I took the liberty of editing your question, to put the search commands as code (using that 101010 button). That makes it easier to read and also prevents some special characters like * in this case from dissapearing 🙂

View solution in original post

0 Karma

TISKAR
Builder

Can you try this please:

| eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
 | stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
 | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2)."%" , perc_err_test2 =round( (Error_test2 / TOTAL) * 100,2)."%" 

OR if you want use subtr command:

| eval Error = if(test1 > 2,1,0) | eval Erreur = if(test2 > 2,1,0) 
 | stats count as TOTAL, sum(Erreur)  as Erreur_test1, sum(Error) as Error_test2 
 | eval perc_err_test1 =(Erreur_test1 / TOTAL) * 100,2) , perc_err_test2 =(Error_test2 / TOTAL) * 100,2) 
 | eval perc_err_test1=substr(perc_err_test1,1,5)."%", perc_err_test2=substr(perc_err_test2,1,5)."%"

katouoma
New Member

Thank you @TISKAR this is exactly what i'm looking for (the first one using the "round" command)

0 Karma

TISKAR
Builder

Can you up vote please to help another person

0 Karma

katouoma
New Member

Yes but how can I do it ? (I'm new here ..)

0 Karma

TISKAR
Builder

In left you have zero betwen two arrow clic to up vote, Thank's

0 Karma

deepashri_123
Motivator

Hi katouoma,

Can you try using round instead:
eval perc_err_test2 = round((Error_test2 / TOTAL) 100,4) ." %"

Let me know if this helps!!

0 Karma

katouoma
New Member

Yeah this is the right answer but using : 100,3 rather than 100,4

0 Karma

FrankVl
Ultra Champion

What is the result you are after, based on this example? What have you tried and is not working?

I'm guessing you actually want to round the precentage, rather than taking the first 4 characters?

So: update your existing percentage calculating evals to look something like this: | eval perc_err_test1 = round((Erreur_test1 / TOTAL) * 100,2) ." %"

PS: you might want to look at alternative ways of adding that percentage sign. E.g. using | fieldformat perc_err_test1=perc_err_test1." %" such that the original numerical values are preserved for better sorting etc.

PPS: I took the liberty of editing your question, to put the search commands as code (using that 101010 button). That makes it easier to read and also prevents some special characters like * in this case from dissapearing 🙂

0 Karma

katouoma
New Member

Thanks a lot for your explanation, that was really helpful

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...