Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

IF/CASE for multiple variables

klaudiac
Path Finder
‎11-18-2020 06:34 AM

Hi guys, 

Looking for a bit of help because I confused myself at this point and can't think logically 😞

I'm creating a search where I can show uploads vs downloads, and the criteria is as follow:

*if bytes_in (download) is more than 70% of all the bytes for that user, then the main action is data download and I want to add a column "alert" with a value "download"

*if bytes_out (upload) is more than 70% of all the bytes for that user, then the main action is data upload and I want to add to the column "alert" that it's going to be an "upload" 

*if the bytes in and our are within 20% of the even split, then the value in the "alert" column will be no action.
if the split is even, then "no action". 


Now, how do I do it in Splunk?? 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-18-2020 07:12 AM 
index=indexName
| eval user_bytes_perc_download = (bytes_in/all_bytes_user)*100
| eval user_bytes_perc_upload = (bytes_out/all_bytes_user)*100
| eval alert=case(user_bytes_perc_download > 70,"download", user_bytes_perc_upload > 70,"upload", user_bytes_perc_download <20 AND user_bytes_perc_upload < 20, "no action")

if the bytes in and our are within 20% of the even split -  I got confused with this, so the query is as per my understanding. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-18-2020 07:12 AM 
index=indexName
| eval user_bytes_perc_download = (bytes_in/all_bytes_user)*100
| eval user_bytes_perc_upload = (bytes_out/all_bytes_user)*100
| eval alert=case(user_bytes_perc_download > 70,"download", user_bytes_perc_upload > 70,"upload", user_bytes_perc_download <20 AND user_bytes_perc_upload < 20, "no action")

if the bytes in and our are within 20% of the even split -  I got confused with this, so the query is as per my understanding. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

klaudiac
Path Finder
‎11-18-2020 07:34 AM

Nevermind - I have it 🙂 

Thanks so much for your help! 

0 Karma
Reply
Solved! Jump to solution

klaudiac
Path Finder
‎11-18-2020 07:26 AM

Thanks so much, almost there 🙂
I should have specified better - the equal split would be 50-50% between in and out.  So anything that's within the 30% (not 20 - sorry, I'm losing it today) margin would be "no action" e.g. 60% are uploads and  40% are downloads = "no action" 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...