topic Re: evaluation with condition in Splunk Search

evaluation with condition

zacksoft — Tue, 29 Sep 2020 18:01:36 GMT

I have two values x and y. Both values are dynamic (keeps on changing).
x indicates _time and y indicates a value that continuosly changes with time.
I want the value of y at two particular instances of x.

I do this,
|eval mytime = round(_time)
|eval mytime2 = round(_time) - 40

I wish to have value of y when x's value is mytime and
the value of y when x's value is mytime2 (i.e. 40 sec before current time)
If condition only helps to get the value of y when x is mytime, but it won't help when x = mytime2. When x=mytime2 , it still gives the same value as mytime. But it shouldn't be the case.

Re: evaluation with condition

493669 — Thu, 08 Feb 2018 07:40:55 GMT

could you provide sample inputs and expected output to better understand

Re: evaluation with condition

zacksoft — Thu, 08 Feb 2018 07:45:21 GMT

X | Y
1518074558| 464758
1518074559| 5757657
1518074560| 464533
1518074561| 667231
1518074562| 77654
1518074563| 00987
1518074564 | 567843

X indicates UNIX time.

Re: evaluation with condition

493669 — Thu, 08 Feb 2018 08:07:32 GMT

Try this:

...|eval result= case(x=mytime,y, x=mytime2,y)

Re: evaluation with condition

zacksoft — Tue, 29 Sep 2020 18:01:42 GMT

I tried this and I get empty value(nothing) for y1 and y2.
y1 is where I want to save y's value when it matches with mytime
y2 is where I want to save y's value when it matches mytime2.
This is what I tried

Re: evaluation with condition

493669 — Thu, 08 Feb 2018 08:52:16 GMT

try this:

| eval mytime = round(_time) | eval mytime2= round(_time)-40
| eval x = round(_time) 
|eval y1=if(x=mytime,y), y2=if(x=mytime2,y)
|table mytime,mytime2,y1,y2

Re: evaluation with condition

FrankVl — Thu, 08 Feb 2018 08:52:25 GMT

What is the data that you used for this test? Specifically: do fields y1 and y2 actually exist?

It would really help if you're a bit more clear in exactly what you are trying and what you expect as the outcome.

Re: evaluation with condition

zacksoft — Thu, 08 Feb 2018 08:57:51 GMT

Error in 'eval' command: The arguments to the 'if' function are invalid.

Re: evaluation with condition

493669 — Thu, 08 Feb 2018 09:00:55 GMT

does in your data y field exists?

Re: evaluation with condition

493669 — Thu, 08 Feb 2018 09:02:23 GMT

ohh my mistake.. try this

| eval mytime = round(_time) | eval mytime2= round(_time)-40
 | eval x = round(_time) 
 |eval y1=if(x=mytime,y,null()), y2=if(x=mytime2,y,null())
 |table mytime,mytime2,y1,y2

Re: evaluation with condition

zacksoft — Tue, 29 Sep 2020 18:01:47 GMT

y's value changes based on x. and x indicates _time in real -time.
I am looking to find the value of y based on two different instance of time(x) and save it in y1 and y2 respectively. y1 and y2 don't exist.

this didn't give any result

Re: evaluation with condition

zacksoft — Thu, 08 Feb 2018 09:05:55 GMT

This worked. But only for y1. I don't see any values for y2. y2 column comes empty.
And yes, y has value in it.

Re: evaluation with condition

493669 — Thu, 08 Feb 2018 09:08:28 GMT

could you provide what query you have tried?

Re: evaluation with condition

493669 — Thu, 08 Feb 2018 09:10:22 GMT

here if x value matches with mytime then store y's value in y1 else null.
similarly if x value matches with mytime2 then store y's value in y2 else store null.
this is basic understanding of this query

Re: evaluation with condition

zacksoft — Tue, 29 Sep 2020 18:01:53 GMT

somehow x value (i.e. the current time) matches with mytime and gives y data, BUT x value doesn't match with mytime2(i.e. 40 sec previous data) and gives null.

I tried changing 'mytime2' to -40, -60, -30 etc... But same result.

Re: evaluation with condition

493669 — Thu, 08 Feb 2018 09:19:17 GMT

one thing i noticed how it could match x=mytime2 as you already set x value nothing but mytime value ....because mytime=round(_time) and x value is also round(_time)

Re: evaluation with condition

FrankVl — Tue, 29 Sep 2020 17:59:02 GMT

As @493669 already mentions above: if you set x=round(_time), how will it ever match anything else then mytime (which you also set to round(_time).

And eval result=case... stores the content of y1 or y2 (depending on which case is true) in the result field. So if y1 and y2 are empty, of course that gives no result.

I think two things are making it hard to answer this properly:
1: your explanation of exactly what data you have and what you want as a result remains vague.
2: people still try to help you along with examples, but you don't fully understand some of the commands suggested, which causes you to glue examples together in ways that don't make much sense, which only adds to the confusion.

So:
Please be more clear in describing what data you have and what you want to achieve AND when someone presents an example, check the Splunk search reference documentation and make sure you understand what the commands do and how to use them, so you know how to apply it to your use case.

Sorry for perhaps being a bit direct on this, but in the end that is the way you will take the most out of such discussions and really improve your Splunk search skills 🙂

Re: evaluation with condition

zacksoft — Tue, 29 Sep 2020 18:01:56 GMT

This gives me y2 value , but not the correct value. It shows me the same y2 value that of y1. I think when the condition x2=mytime2 becomes true , it is giving us the "current value of y" instead of giving the "40 sec older value of y".
But I want both the current y value and 40 sec older y value .

Re: evaluation with condition

zacksoft — Tue, 29 Sep 2020 18:01:59 GMT

@493669
I think, if "x" were some other alphanumeric value except " _time" it might have worked.
When it comes to '_time' the anomaly rises. But I could be wrong.
I have applied the same logic at other instances and it have worked, But when it comes to comparing _time field it shows weirdness.

Re: evaluation with condition

493669 — Thu, 08 Feb 2018 09:45:03 GMT

not able to understand what you exactly want to achieve?
if could you provide exact sample input and expected output...