Splunk Search

Calculated values showing wrong results. I have the search string attached, what am I doign wrong, here

rajendra_b
New Member
source =/opt/data/splunkLogs/order_transaction.log | eval TotalOrders=if(match(OrderStatus,"In Progress"),count,0) | eval CompOrders=if(match(OrderStatus,"Complete"),count,0) | eval ErrOrders=if(match(OrderStatus,"In Error"),count,0) | eval InProgOrders=(TotalOrders - CompOrders - ErrOrders)

I want to calculate these values from the events:
Total Orders = All orders with In progress status.
Complete Orders = All orders with Complete status.
Orders in Error = All orders with In Error status.
Inpogress Orders = TotalOrders - CompleteOrders - InErrorOrders

Tags (1)
0 Karma
1 Solution

MuS
Legend

Hi rajendra_b,

use either eval TotalOrders=if(match(OrderStatus,"In Progress"),count,"0")
or eval TotalOrders=if(match(OrderStatus,"In Progress"),count,null())

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi rajendra_b,

use either eval TotalOrders=if(match(OrderStatus,"In Progress"),count,"0")
or eval TotalOrders=if(match(OrderStatus,"In Progress"),count,null())

Hope this helps ...

cheers, MuS

rajendra_b
New Member

Thanks for responding. I modified it like below and it works now. However when I use this in Pie chart the values are only displayed when you hover the mouse on it, I want it to display on the panel as well. How can we do that.

source =/opt/data/splunkLogs/order_transaction.log | dedup OrderId | stats count(eval(OrderStatus="In Progress")) AS InProgOrders, count(eval(OrderStatus="Complete")) AS CompOrders, count(eval(OrderStatus="In Error")) AS ErrOrders | eval TotalOrders=(InProgOrders + CompOrders + ErrOrders) | table TotalOrders, CompOrders, InProgOrders, ErrOrders
0 Karma

MuS
Legend

Hi, this is indeed possible if you use some tricks 😉

Take a look at this answer http://answers.splunk.com/answers/91517/displaying-count-as-label-in-pie-graph.html or at this app https://apps.splunk.com/app/1161/

cheers, MuS

0 Karma

rajendra_b
New Member

MuS,
Thanks a lot for the suggestions. The Percentage is being displayed, however the count is not. I am trying different ways to render the count. Here is my query just in case.

source =/opt/data/splunkLogs/order_transaction.log | dedup OrderId | stats count(eval(OrderStatus="In Progress")) AS InProgress, count(eval(OrderStatus="Complete")) AS Complete, count(eval(OrderStatus="In Error")) AS Error |  transpose 
0 Karma

rajendra_b
New Member

Finally this works. Thank you all for the help. This displays the count as well.

source =/opt/data/splunkLogs/order_transaction.log | dedup OrderId | top OrderStatus | eval OrderStatus=OrderStatus." :".count

Used this to display percentage in the XML as provided earlier.

<option name="charting.chart.showPercent">true</option>
0 Karma

ramdaspr
Contributor

You can only show percentages along with labels but not the counts

    <option name="charting.chart.showPercent">true</option>
0 Karma

rajendra_b
New Member

Thanks a lot for the help Ramdaspr. The Percentage works.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...