Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does if condition not work with stats values()?

anooshac
Communicator
‎08-02-2022 04:54 AM

Hi all, I have been trying to use if condition in stats values(). It is not working properly. I have used if conditions before and got results perfectly.

 

stats values(eval(if('FAILS'=="0",0,DATA))) as DATA

 

The fields "DATA" is calculated in the beginning. My requirement is that when there are no FAILS the DATA should be zero otherwise it should be the value which is calculated.  I am doing anything wrong here? Because even if the FAILS are there it is giving me result as 0. Please help me.

Labels (3)
Labels
Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎08-02-2022 05:26 AM

It might be helpful if you could share some sample data, what your current output is and what is expected output.

Does your data looks like this sample runanywhere search?

|  makeresults 
|  eval FAILS=1, DATA=1
|  fields - _time
|  append
    [|  makeresults 
|  eval FAILS=0, DATA=3]
| append
    [|  makeresults 
|  eval FAILS=1, DATA=2] 
|  append
    [|  makeresults 
|  eval FAILS=0, DATA=4]
| append
    [|  makeresults 
|  eval FAILS=1, DATA=5] 
| stats values(eval(if('FAILS'=="0",0,DATA))) as DATA
0 Karma
Reply

anooshac
Communicator
‎08-02-2022 07:53 AM

Hi, @somesoni2 , the data is in json format. Here is one example.

"Task_no":"5",

"Group": "G1",

"EXECUTION_DATE":1648081994535,

"STATUS":"FAILURE",

"DURATION":1951628

  and the data im calculating is MTTR.

.........[| streamstats count as start reset_on_change=true by STATUS
| where start=1
| streamstats count(eval(STATUS=="FAILURE")) as fails by STATUS
| eval fails=if(fails=0,null(),fails)
| filldown fails
| stats list(*) as * by fails| where mvcount(STATUS) = 2|eval MTTR=....]
|append[.....| chart count(Task_no) by Group STATUS
| table Group SUCCESS FAILURE]
| stats values(eval(if('FAILURE'=="0",0,MTTR))) as MTTR

Whenever there is no failures i want to make the MTTR as 0, if there are failures MTTR will be calculated by the query and i want to keep that result as it is. While using stats i am not able to achieve this condition. Where i went wrong in the query? Can you please help me.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...