https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-eval-if-statement-to-output-the-expected-result/m-p/201431#M58364 <P>This works perfectly, thanks so much!</P> Thu, 09 Jun 2016 21:33:33 GMT jxiongjx 2016-06-09T21:33:33Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-eval-if-statement-to-output-the-expected-result/m-p/201429#M58362 <P>In my search I currently have</P> <PRE><CODE>...| transaction startswith = "start" endswith = "end" maxspan = 10m | eval current = if(Data1 == "Curr", Data3, null) | timechart avg(duration) max(current) </CODE></PRE> <P>My transaction is grouping events how I want them to, but the problem I have is with the eval search. Data1 essentially has a description of the type of data and Data3 has the value. I only care about the data when Data1 is "Curr" so if that case is true, then current should be the value of Data3. If not, then I don't care about Data3 so I set it to null.</P> <P>(Note that each event has a Data1 and Data3 value so a transaction should have x number of Data1's and Data3's where x is the eventcount)<BR /> The goal of the search is to go through each event in a transaction and see if Data1 is "Curr" and to take note of the value and after going through each event in the transaction, to find the max value.</P> <P>The problem I found is in the result of max(current)<BR /> If none of the events in a transaction has Data1="Curr", then there is no max(current) value which is what I am looking for.</P> <P>But if there is then the max(current) value just finds the max of Data3 regardless of if that event is the one with Data1="Curr"<BR /> For example: if a log data has<BR /> Event1: start<BR /> Event2: Data1 = Curr, Data3 = 5<BR /> Event3: Data1 = Volt, Data3 = 10<BR /> Event4: end<BR /> My current search is outputting max(current) as 10 when I want it to be 5 since the 3rd event is not a Curr event so its Data3 value should not be counted when finding the max.</P> <P>Any help will be appreciated!</P> Wed, 08 Jun 2016 21:50:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-eval-if-statement-to-output-the-expected-result/m-p/201429#M58362 jxiongjx 2016-06-08T21:50:08Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-eval-if-statement-to-output-the-expected-result/m-p/201430#M58363 <P>The transaction command is making a multi-value field out of Data1, so it will always equal "Curr" in your if statement.</P> <P>You should be able to fix this by moving your eval before your transaction. </P> <PRE><CODE>| eval current = if(Data1 == "Curr", Data3, null) | transaction startswith="start" endswith="end" | timechart avg(duration) max(current) </CODE></PRE> Thu, 09 Jun 2016 00:04:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-eval-if-statement-to-output-the-expected-result/m-p/201430#M58363 justinatpnnl 2016-06-09T00:04:11Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-eval-if-statement-to-output-the-expected-result/m-p/201431#M58364 <P>This works perfectly, thanks so much!</P> Thu, 09 Jun 2016 21:33:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-eval-if-statement-to-output-the-expected-result/m-p/201431#M58364 jxiongjx 2016-06-09T21:33:33Z