topic Re: How can I use a combination of an IF statement along with AND? in Splunk Search

How can I use a combination of an IF statement along with AND?

jacqu3sy — Wed, 13 Sep 2017 12:43:03 GMT

Hi,

How can I use a combination of an IF statement along with AND.

I'm looking to run a count whereby IF the _hour is greater than a certain time, AND a server name matches a list, dont include the server in the results.

I have something like this;

mysearch...
| eval hour=tonumber(strftime(_time,"%H"))
| if(hour>2 AND NOT (dest="server1" OR dest="server2" OR dest="server3"))
| stats count by _time, hour, dest, status

Essentially I dont want to include results of a server between certain hours.

Any ideas? Thanks.

Re: How can I use a combination of an IF statement along with AND?

HiroshiSatoh — Tue, 29 Sep 2020 15:44:29 GMT

Try this!

(your search) date_hour>2  NOT (dest="server1" OR dest="server2" OR dest="server3")
| stats count by date_hour, dest, status

| eval hour=tonumber(strftime(_time,"%H"))
↓
date_hour

Re: How can I use a combination of an IF statement along with AND?

cmerriman — Wed, 13 Sep 2017 13:02:47 GMT

as a quick note, strftime(_time,"%H") can be different than date_hour when the user is set to a different time zone than the data. strftime(_time,"%H") will put the calculate the hour for the time zone the user is in and date_hour will be the hour the data says.

For instance. if a user is set to be in Central time and data is coming from Pacific time, strftime(_time,"%H") will create a value of 4 and date_hour will have a value of 2.

Re: How can I use a combination of an IF statement along with AND?

DalJeanis — Wed, 13 Sep 2017 13:20:30 GMT

You are confusing two constructs...

| eval foo=if(bar=2,"value1",field2)

...and...

| where ((bar=2) AND (foo=field2))

...or possibly...

| search ((bar=2) AND (foo="value2"))

Remember that search does not "dereference" the value on the right of the equals sign... it assumes that the thing on the right is a literal or a constant of some sort, as opposed to a field name.

Re: How can I use a combination of an IF statement along with AND?

HiroshiSatoh — Wed, 13 Sep 2017 14:45:51 GMT

Thank you for your help.

Re: How can I use a combination of an IF statement along with AND?

lfedak_splunk — Wed, 13 Sep 2017 22:34:31 GMT

Hey @jacqu3sy, if they solved your problem, please remember to "accept" an answer to award karma points and to close the question. You can upvote answers and comments too! All actions award karma points. 🙂

Re: How can I use a combination of an IF statement along with AND?

jacqu3sy — Fri, 15 Sep 2017 08:57:33 GMT

I kind of follow, but I'm not sure how I would use this in the example I have.

Re: How can I use a combination of an IF statement along with AND?

jacqu3sy — Fri, 15 Sep 2017 08:59:54 GMT

Sorry, but I dont follow this. surely this query would ignore anything that occurs before 2? I only want it to ignore results before 2 when it matches a specific server name.

So I need to produce results ONLY if the hour is greater than 2 AND not a certain server. If the hour is less than 2 but a differant server than that listed in the query, I still need to see the results.

Re: How can I use a combination of an IF statement along with AND?

jacqu3sy — Fri, 15 Sep 2017 09:45:31 GMT

Something like this you mean?

| eval suppress=if((hour > 2 and hour < 4 AND (dest="x.x.x.x")"yes","no"))
| where suppress="no"

Re: How can I use a combination of an IF statement along with AND?

jacqu3sy — Fri, 15 Sep 2017 10:28:21 GMT

the following worked, thanks for pointing in the right direction:

| eval suppress=if((hour >=10 AND hour <=13) AND (dest="x.x.x.x"),"yes", "no")
| where suppress="no"

Re: How can I use a combination of an IF statement along with AND?

DalJeanis — Fri, 15 Sep 2017 21:16:52 GMT

@jacqu3sy - You can do it in one step...

| where NOT ((hour >=10 AND hour <=13) AND (dest="x.x.x.x"))

...or...

| where hour<10 OR hour>13 OR dest!="x.x.x.x"