topic Re: need help with IF function in Splunk Search

Help using IF function

saurav47 — Thu, 12 May 2022 19:24:46 GMT

Hi All, i am using IF function like
|eval xxx= if ( status =="1","A", if(status =="2","A", if(status =="3","A","0")

its working wherever i have single value in fields like

Example:-1

status output

1 A

2 A

3 A

Example:- 2

status output

1, 2 A

2, 3 A

1, 3 A

1,4,5,2 A

So in example 2, last values has 1 and 2 with 4 and 5,,, i want to output should be like A and 0 both.

thanks in advance

Re: need help with IF function

ITWhisperer — Thu, 12 May 2022 18:54:29 GMT

Is this the sort of thing you mean?

| eval xxx=mvfilter(status IN ("1","2","3")) | eval yyy=mvfilter(status IN ("4","5")) | eval zzz=mvappend(if(mvcount(xxx)>0,"A",null()),if(mvcount(yyy)>0,"0",null()))

Re: need help with IF function

saurav47 — Thu, 12 May 2022 19:15:07 GMT

@ITWhisperer not certainly , here i dont know about value 4 or 5,,, it is just like any other value except 1,2,3, it should give 0 values.

exact query is.. i want to see for any user how many use case got triggered in last 7 days. but i have a some critical use case list of 10 UC. suppose total are 200UC, i want to check if any incident occurred where for any user both use case combination got triggered within 7 days. (any one or more than one use case from 10 uc list ) + any use case from rest 190 UC.

example

user UC triggered in 7 days

A UC1, UC2, UC87, UC90 UC3

i have given

|eval valuex= if(UC== UC1,1, if(UC== UC2,1, if(UC== UC3,1, if...........if(uc10=="1","0")

user UC triggered in 7 days valuesx

A UC1, UC2, UC87, UC90 UC3 1( want it as 1,0)

so here is the problem,, i am getting valuesx as 1 while it should come 1,0 both as UC triggered having combination.

Re: need help with IF function

ITWhisperer — Fri, 13 May 2022 08:21:22 GMT

It might be easier if you go back a step - what events are you dealing with?

Re: need help with IF function

saurav47 — Fri, 13 May 2022 08:55:42 GMT

@ITWhisperer it's not about events...it's just about how splunk function works... It is just i have a value in field ..matching with my values..if yes. .show 1..else 0... Only problem is where field having both values (matched and unmatched) but it's showing only 1...i want 1and 0 both...

Re: need help with IF function

ITWhisperer — Fri, 13 May 2022 09:02:37 GMT

An if function either has a result if the criteria is true and a result if the criteria is false - this is a very common paradigm

What I am suggesting is that you might be able to get the result you want if you evaluate the usecase events separately before bringing them together for each user (or whatever criteria you have used).