- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: if condition does not work with stats values()
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does if condition not work with stats values()?
Hi all, I have been trying to use if condition in stats values(). It is not working properly. I have used if conditions before and got results perfectly.
stats values(eval(if('FAILS'=="0",0,DATA))) as DATA
The fields "DATA" is calculated in the beginning. My requirement is that when there are no FAILS the DATA should be zero otherwise it should be the value which is calculated. I am doing anything wrong here? Because even if the FAILS are there it is giving me result as 0. Please help me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might be helpful if you could share some sample data, what your current output is and what is expected output.
Does your data looks like this sample runanywhere search?
| makeresults
| eval FAILS=1, DATA=1
| fields - _time
| append
[| makeresults
| eval FAILS=0, DATA=3]
| append
[| makeresults
| eval FAILS=1, DATA=2]
| append
[| makeresults
| eval FAILS=0, DATA=4]
| append
[| makeresults
| eval FAILS=1, DATA=5]
| stats values(eval(if('FAILS'=="0",0,DATA))) as DATA- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, @somesoni2 , the data is in json format. Here is one example.
"Task_no":"5",
"Group": "G1",
"EXECUTION_DATE":1648081994535,
"STATUS":"FAILURE",
"DURATION":1951628and the data im calculating is MTTR.
.........[| streamstats count as start reset_on_change=true by STATUS
| where start=1
| streamstats count(eval(STATUS=="FAILURE")) as fails by STATUS
| eval fails=if(fails=0,null(),fails)
| filldown fails
| stats list(*) as * by fails| where mvcount(STATUS) = 2|eval MTTR=....]
|append[.....| chart count(Task_no) by Group STATUS
| table Group SUCCESS FAILURE]
| stats values(eval(if('FAILURE'=="0",0,MTTR))) as MTTRWhenever there is no failures i want to make the MTTR as 0, if there are failures MTTR will be calculated by the query and i want to keep that result as it is. While using stats i am not able to achieve this condition. Where i went wrong in the query? Can you please help me.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
