Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does if condition not work with stats values()?

anooshac
Communicator
‎08-02-2022 04:54 AM

Hi all, I have been trying to use if condition in stats values(). It is not working properly. I have used if conditions before and got results perfectly.

 

stats values(eval(if('FAILS'=="0",0,DATA))) as DATA

 

The fields "DATA" is calculated in the beginning. My requirement is that when there are no FAILS the DATA should be zero otherwise it should be the value which is calculated.  I am doing anything wrong here? Because even if the FAILS are there it is giving me result as 0. Please help me.

Labels (3)
Labels
Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎08-02-2022 05:26 AM

It might be helpful if you could share some sample data, what your current output is and what is expected output.

Does your data looks like this sample runanywhere search?

|  makeresults 
|  eval FAILS=1, DATA=1
|  fields - _time
|  append
    [|  makeresults 
|  eval FAILS=0, DATA=3]
| append
    [|  makeresults 
|  eval FAILS=1, DATA=2] 
|  append
    [|  makeresults 
|  eval FAILS=0, DATA=4]
| append
    [|  makeresults 
|  eval FAILS=1, DATA=5] 
| stats values(eval(if('FAILS'=="0",0,DATA))) as DATA
0 Karma
Reply

anooshac
Communicator
‎08-02-2022 07:53 AM

Hi, @somesoni2 , the data is in json format. Here is one example.

"Task_no":"5",

"Group": "G1",

"EXECUTION_DATE":1648081994535,

"STATUS":"FAILURE",

"DURATION":1951628

  and the data im calculating is MTTR.

.........[| streamstats count as start reset_on_change=true by STATUS
| where start=1
| streamstats count(eval(STATUS=="FAILURE")) as fails by STATUS
| eval fails=if(fails=0,null(),fails)
| filldown fails
| stats list(*) as * by fails| where mvcount(STATUS) = 2|eval MTTR=....]
|append[.....| chart count(Task_no) by Group STATUS
| table Group SUCCESS FAILURE]
| stats values(eval(if('FAILURE'=="0",0,MTTR))) as MTTR

Whenever there is no failures i want to make the MTTR as 0, if there are failures MTTR will be calculated by the query and i want to keep that result as it is. While using stats i am not able to achieve this condition. Where i went wrong in the query? Can you please help me.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...