Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

if Condition then print table A, ELSE table B

dbattaglia
New Member
‎03-16-2020 02:42 PM

hello experts,

I'm trying to do a simple thing but I'm not able to figure it out.

so, my problem is that I want to produce a table based on a condition, like below:

if condition=TRUE, stats values(A) as A, values(B) as B by C, ("ELSE") stats values(Z) as Z, values(X) as X by Y

SO, if the condition is true I want to built a table with certain variables, otherwise with some others.

Thanks much.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-24-2020 05:54 PM

You could do something like this:

index="_*"
| eval foo="bar"
| multireport
[stats count first(foo) AS foo BY index | where foo="bar" ]
[stats count first(foo) AS foo BY sourcetype | where foo="bat" ]

vs. this:

index="_*"
| eval foo="bat"
| multireport
[stats count first(foo) AS foo BY index | where foo="bar" ]
[stats count first(foo) AS foo BY sourcetype | where foo="bat" ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-24-2020 05:54 PM

You could do something like this:

index="_*"
| eval foo="bar"
| multireport
[stats count first(foo) AS foo BY index | where foo="bar" ]
[stats count first(foo) AS foo BY sourcetype | where foo="bat" ]

vs. this:

index="_*"
| eval foo="bat"
| multireport
[stats count first(foo) AS foo BY index | where foo="bar" ]
[stats count first(foo) AS foo BY sourcetype | where foo="bat" ]
0 Karma
Reply
Solved! Jump to solution

dbattaglia
New Member
‎03-26-2020 01:25 PM

Great, this is working! Thanks Much!
Not sure why is messing the order of the fields in the stats... but is working.

Again, thanks much.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎03-16-2020 03:48 PM

Hi dbattaglia,

you need to move the logic outside of the stats command in this case, try something like this:

 base SPL here
 | eval A=if(condition=TRUE, A, Z), B=if(condition=TRUE, B, X), C=if(condition=TRUE, C, Y)
 | stats values(A) AS A, values(B) AS B by C

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

dbattaglia
New Member
‎03-17-2020 08:53 AM

Thanks MuS, this is almost perfect, only issue is that as results of the stats I get always A, B, C as field names, other than that everything else is good.

would you know how to change dynamically the field names as result of the eval if?

Thanks very much, appreciated.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎03-24-2020 12:58 PM

Hi dbattaglia,

I reckon the only way to get this working like this would be in a dashboard and use token to replace the values. I don't think this is possible in ad-hoc search.

cheers, MuS

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...