topic Re: Creating an If statement in Search with max() function inside in Splunk Search

Creating an If statement in Search with max() function inside

aracer — Tue, 29 Sep 2020 15:04:07 GMT

Here's what I have below. I'm trying to do unit conversion and the unit trails in the string (ex. 127 KiB). Any ideas as to why the statement won't work?

eval new_max_rx = if(rx_today = "*KiB", "max(rx_today)*0.000976562") | timechart new_max_rx, max(tx_today) | rename new_max_rx as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"

Re: Creating an If statement in Search with max() function inside

DalJeanis — Thu, 27 Jul 2017 14:54:04 GMT

max() is not a standalone function in splunk. It is an aggregate function that is only valid in the context of a grouping calculation like stats, chart or timechart.

Therefore, you need to calculate it beforehand.

I believe what you want is eventstats, but there are some other syntax mistakes, so you need to show us the earlier portion of the search so we can straighten it all out for you.

Re: Creating an If statement in Search with max() function inside

aracer — Thu, 27 Jul 2017 15:12:19 GMT

Thank you for the speedy response! This is all there is to my search besides specifying the file I'm looking at.

Re: Creating an If statement in Search with max() function inside

somesoni2 — Thu, 27 Jul 2017 15:51:47 GMT

Could you explain more about what max(rx_today) should capture in the eval? Is it max value of rx_today for that day?

Re: Creating an If statement in Search with max() function inside

aracer — Thu, 27 Jul 2017 16:18:10 GMT

Yes, it is the max value for that day

Re: Creating an If statement in Search with max() function inside

somesoni2 — Thu, 27 Jul 2017 16:27:01 GMT

As @Daljeanis suggested, you'd need to add eventstats (with few other elements) to do that. Try this

...your base search
eval day=strftime(_time,"%m/%d/%Y") | eventstats max(rx_today) as max_rx_today by day
|eval new_max_rx = if(rx_today = "*KiB", "max_rx_today*0.000976562") | timechart max(new_max_rx) as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"

Re: Creating an If statement in Search with max() function inside

niketn — Thu, 27 Jul 2017 16:27:19 GMT

@DalJeanis, there is a possibility that there is an aggregate statistical function prior to the code snippet which is calculating max(rx_today) without renaming the same.

I see issue with the if condition for pattern match. Following eval with match() should do the needful and for using if condition else block should be used, for which I have used rx_today.

| eval new_max_rx = if(match(rx_today,"KiB"),'max(rx_today)'*0.000976562,rx_today)

PS: It is a good habit to rename/alias fields after aggregating functions for example | timechart max(rx_today) as max_rx_today, to ensure that special characters are not included in the field name and it is more meaningful.

Re: Creating an If statement in Search with max() function inside

aracer — Thu, 27 Jul 2017 20:28:06 GMT

Thank you @niketnilay - that solved my issue!

Re: Creating an If statement in Search with max() function inside

DalJeanis — Thu, 27 Jul 2017 20:54:23 GMT

@somesoni2 -

Whenever someone formats a date...

...before grouping...

...without a format like "%Y-%m-%d" that will sort into the right order....

...puppies and kittens cry.

Re: Creating an If statement in Search with max() function inside

niketn — Thu, 27 Jul 2017 20:55:01 GMT

Glad it worked 🙂