topic Re: if-else statement with timeframe in Getting Data In

if-else statement with timeframe

shreyad — Mon, 02 Jul 2018 15:15:53 GMT

I would like to specify my search to return a previous months + the current months data if the count outputted by just the current months data is less than 0. How would I do that?

Right now I have earliest = @mon for the current months data. How do I implement the if else statement?

I have this right now. Would this be in the first pipe?
eval (if count(data) <=0, earliest= -1mon@mon, else earliest=@mon )

Re: if-else statement with timeframe

somesoni2 — Mon, 02 Jul 2018 18:11:02 GMT

What search are you running?

Re: if-else statement with timeframe

niketn — Mon, 02 Jul 2018 18:12:18 GMT

@shreyad, what have you tried so far? Also what does the base search looks like for you? Is it based on only metadata fields like index sourcetype etc. or does it involve other Search Time extracted fields as well.

Re: if-else statement with timeframe

shreyad — Mon, 02 Jul 2018 18:17:37 GMT

There is an index, sourcetype and host. All I have tried is what I posted and "earliest = @mon." But that does not solve my issue of wanting to output the previous months data iff the count of the current month is <=0.

Re: if-else statement with timeframe

somesoni2 — Mon, 02 Jul 2018 18:31:30 GMT

If your base search only includes metadata fields (host/index/source/sourcetype ) or any index-time extracted fields, you can run something like this

index=foo sourcetype=bar  [| tstats count WHERE index=foo sourcetype=bar earliest=@mon | eval earliest=if(count=0,"-1mon@mon","@mon") | table earliest ] |....rest of the search

Re: if-else statement with timeframe

DalJeanis — Mon, 02 Jul 2018 22:13:17 GMT

A count cannot be less than zero. What are you trying to achieve?

In general, my approach would be to calculate the two items, then throw away the unwanted if the test is not met. Eventstats is useful for generating aggregations for that test. Here's one way to do that, in pseudocode...

 your search that gets all the data
 | eval  myflag= if (the event is this month,"Now","Before")
 | eventstats ... some aggregate command that adds up whatever you want to test for this month...
 | where myflag="Before" OR some test on the aggregate
 | the rest of your logic

If you only want the aggregated data, then use an actual stats command instead of eventstats, and add myflag as one of the group by fields.

Re: if-else statement with timeframe

woodcock — Fri, 06 Jul 2018 15:57:16 GMT

Like this:

Index=YouShouldAlwaysSpeciryINdex AND sourcetype=AndSourcetypeToo AND other stuff here
earliest = -1mon@mon latest=@s
| bucket _time span=1mon
| stats sum(YourFieldWithValuesHere) AS monthlyCount BY _time
| transpose
| tail 1
| eval count = if('row 2' <=0, 'row 1', 'row 2')
| table count