https://community.splunk.com/t5/Splunk-Search/Can-I-even-do-this-with-an-IF/m-p/46063#M10997 <P>Hi, multi value field called OverallStatus - states are On Track, Marginal, Critical. Another field ID, contains a unique value to count.</P> <PRE><CODE>| stats count(ID) AS Event count(eval(OverallStatus="On Track")) AS OnTrack count(eval(OverallStatus="Marginal")) AS Marginal count(eval(OverallStatus="Critical")) AS Red by Project ID </CODE></PRE> <P>Here is the metric: ( basically a Red - Yellow - Green )</P> <P>Green = 80% or more projects are green and none are Red. Yellow = 70% - 79% projects are green or 1 – 20% are Red. Red = under 70% projects are green or over 20% are Red.</P> <P>I just can't get my head around the "IF" ... Really only need to show this back in a Red Yellow or Green.</P> <P>Any help or direction, would be greatly appreciated!</P> <P>Cheers...</P> Mon, 26 Aug 2013 12:56:29 GMT edenzler 2013-08-26T12:56:29Z https://community.splunk.com/t5/Splunk-Search/Can-I-even-do-this-with-an-IF/m-p/46063#M10997 <P>Hi, multi value field called OverallStatus - states are On Track, Marginal, Critical. Another field ID, contains a unique value to count.</P> <PRE><CODE>| stats count(ID) AS Event count(eval(OverallStatus="On Track")) AS OnTrack count(eval(OverallStatus="Marginal")) AS Marginal count(eval(OverallStatus="Critical")) AS Red by Project ID </CODE></PRE> <P>Here is the metric: ( basically a Red - Yellow - Green )</P> <P>Green = 80% or more projects are green and none are Red. Yellow = 70% - 79% projects are green or 1 – 20% are Red. Red = under 70% projects are green or over 20% are Red.</P> <P>I just can't get my head around the "IF" ... Really only need to show this back in a Red Yellow or Green.</P> <P>Any help or direction, would be greatly appreciated!</P> <P>Cheers...</P> Mon, 26 Aug 2013 12:56:29 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-even-do-this-with-an-IF/m-p/46063#M10997 edenzler 2013-08-26T12:56:29Z https://community.splunk.com/t5/Splunk-Search/Can-I-even-do-this-with-an-IF/m-p/46064#M10998 <P>Try this</P> <PRE><CODE>yoursearchhere | stats count(ID) AS Event count(eval(OverallStatus="On Track")) AS OnTrack count(eval(OverallStatus="Marginal")) AS Marginal count(eval(OverallStatus="Critical")) AS Critical by ProjectID | eval percentOnTrack = OnTrack * 100 / (OnTrack + Marginal + Critical) | eval percentMarginal = Marginal * 100 / (OnTrack + Marginal + Critical) | eval percentCritical = Critical * 100 / (OnTrack + Marginal + Critical) | eval Status = case(percentOnTrack &gt; 79 AND percentCritical = 0, "Green", percentOnTrack &gt; 69 AND percentOnTrack &lt; 80, "Yellow", percentCritical &gt; 0 AND percentCritical &lt; 21, "Yellow", percentOnTrack &lt; 70,"Red", percentCritical &gt; 20,"Red", 1=1,"Unknown") | table ProjectID Status percentOnTrack percentMarginal percentCritical OnTrack Marginal Critical </CODE></PRE> <P>You could do it with an <CODE>if</CODE>, but I just think it is easier with a <CODE>case</CODE> function.</P> Mon, 26 Aug 2013 20:58:14 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-even-do-this-with-an-IF/m-p/46064#M10998 lguinn2 2013-08-26T20:58:14Z https://community.splunk.com/t5/Splunk-Search/Can-I-even-do-this-with-an-IF/m-p/46065#M10999 <P>Thanks Iguinn! I managed to do it this way, wondering which one would be better?</P> <P>| stats count(ID) AS Event count(eval(OverallStatus="On Track")) AS Green count(eval(OverallStatus="Marginal")) AS Yellow count(eval(OverallStatus="Critical")) AS Red by Product<BR /> | eval Green1=Green / Event * 100<BR /> | eval Yellow1=Yellow / Event * 100<BR /> | eval Red1=Red / Event * 100<BR /> | table Product Event Red Yellow Green Red1 Yellow1 Green1 | eval "Overall Status" = if (Green1 &lt;= 70 OR Red1 &gt;= 20, "Red", if (Green1 &gt;= 70 AND Green1 &lt;= 79.9 AND Red1 &lt;= 20, "Yellow", if (Green1 &gt;= 80 AND Red &lt;= 0, "Green","Unknown")))</P> <P>Cheers!</P> Mon, 26 Aug 2013 21:30:08 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-even-do-this-with-an-IF/m-p/46065#M10999 edenzler 2013-08-26T21:30:08Z https://community.splunk.com/t5/Splunk-Search/Can-I-even-do-this-with-an-IF/m-p/46066#M11000 <P>I don't know which one is faster, I just like the <CODE>case</CODE> function because I find it easier to read and debug!</P> <P>You could try them both and look at the search job inspector for the run time... that's not perfectly accurate because search load varies moment to moment - but if there is a big difference you will see it. (Search job inspector = the box with the "i" in case you didn't know)</P> Tue, 27 Aug 2013 17:46:40 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-even-do-this-with-an-IF/m-p/46066#M11000 lguinn2 2013-08-27T17:46:40Z