https://community.splunk.com/t5/Splunk-Search/Conditional-find-and-replace/m-p/413838#M119255 <P>Hello,</P> <P>I have a question on a conditional find and replace. I have a query that calculates a mean for the different hours on the different days. This query looks like this: </P> <P>index=index1 adapter_name=ABSAdapter earliest=-90d <BR /> | timechart span="1h" sum(number_of_records) as aantal <BR /> | eval time=strftime(_time,"%w%H") <BR /> | eventstats mean(aantal) as meanAantal, stdev(aantal) as stdAantal by time <BR /> | where (aantal&gt;(meanAantal + (stdAantal * -3)) AND aantal&lt;(meanAantal + (stdAantal * 3)))<BR /> | stats mean(aantal) as threshold by time<BR /> | eventstats mean(threshold) as overalMean<BR /> | table threshold, time, overalMean</P> <P>Now I also want to find and replace threshold values that are under a certain value to 0. The condition should be something like: </P> <P>if(threshold &lt; overalMean*0.20) --&gt; threshold = 0<BR /> else --&gt; threshold = threshold</P> <P>Does anyone know how to do this? </P> <P>Thanks in advance and kind regards,<BR /> Willem</P> Wed, 30 Sep 2020 01:30:37 GMT willemjongeneel 2020-09-30T01:30:37Z https://community.splunk.com/t5/Splunk-Search/Conditional-find-and-replace/m-p/413838#M119255 <P>Hello,</P> <P>I have a question on a conditional find and replace. I have a query that calculates a mean for the different hours on the different days. This query looks like this: </P> <P>index=index1 adapter_name=ABSAdapter earliest=-90d <BR /> | timechart span="1h" sum(number_of_records) as aantal <BR /> | eval time=strftime(_time,"%w%H") <BR /> | eventstats mean(aantal) as meanAantal, stdev(aantal) as stdAantal by time <BR /> | where (aantal&gt;(meanAantal + (stdAantal * -3)) AND aantal&lt;(meanAantal + (stdAantal * 3)))<BR /> | stats mean(aantal) as threshold by time<BR /> | eventstats mean(threshold) as overalMean<BR /> | table threshold, time, overalMean</P> <P>Now I also want to find and replace threshold values that are under a certain value to 0. The condition should be something like: </P> <P>if(threshold &lt; overalMean*0.20) --&gt; threshold = 0<BR /> else --&gt; threshold = threshold</P> <P>Does anyone know how to do this? </P> <P>Thanks in advance and kind regards,<BR /> Willem</P> Wed, 30 Sep 2020 01:30:37 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-find-and-replace/m-p/413838#M119255 willemjongeneel 2020-09-30T01:30:37Z https://community.splunk.com/t5/Splunk-Search/Conditional-find-and-replace/m-p/413839#M119256 <P>I got this working just after I asked the question... </P> <P>Solution: | eval threshold=case(threshold &lt; overalMean*0.05, 0, threshold &gt; overalMean*0.05, threshold) </P> Wed, 30 Sep 2020 01:30:39 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-find-and-replace/m-p/413839#M119256 willemjongeneel 2020-09-30T01:30:39Z https://community.splunk.com/t5/Splunk-Search/Conditional-find-and-replace/m-p/413840#M119257 <P>I got this working just after I asked the question...</P> <P>Solution: | eval threshold=case(threshold &lt; overalMean*0.05, 0, threshold &gt; overalMean*0.05, threshold) </P> Wed, 30 Sep 2020 01:30:42 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-find-and-replace/m-p/413840#M119257 willemjongeneel 2020-09-30T01:30:42Z