Reporting

IF command with two conditions on a multivalue field

cindygibbs_08
Communicator

Hello gorgeous people,

I have been trying to create a variable named "promotion" with only two categorical values "YES" and "NO" .

To summarize if TAG1="X01" and TAG2 is empty or missing or null or N.A I want the promotion variable to be "YES" otherwise "NO"... I'd like to kindly let you know that I am using the stats command (by client)  to visualize this results along with several others that I am computing and I have tried the following lines of code without any luck:

 

| eval promotion=if(TAG1="X01" AND TAG2="","YES","NO")
| stats count(eval(promotion=="YES")) as Promotion? by CLIENT

 

| eval promotion=if(TAG1="X01" AND isnull(TAG2),"YES","NO")
| stats count(eval(promotion=="YES")) as Promotion? by CLIENT

 

| eval promotion=if(isnull(TAG1),"NO", if(TAG1="X01" AND TAG2="","YES","NO"))
| stats count(eval(promotion=="YES")) as Promotion? by CLIENT

 

These lines are not working for me because they return either "NO" when they should be returning "YES" or they just returning "YES" in all posible cases which is incorrect as well... I am aware that because of the nature of my data I have mutilvalue fields.. and I dont know is that is what is causing the issue

thank you so much everyone for your help!

with kind,

 

cindy

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could try:

| fillnull value="" TAG2
| eval promotion=if(TAG1=="X01" AND TAG2=="","YES","NO")
| stats count(eval(promotion=="YES")) as Promotion? by CLIENT

cindygibbs_08
Communicator

Hello my distinguished  and dear gentleman,

Thank you for reaching out, I have just tried your advice but it did not work... I think I forgot to say that I am trying to organize the information in a stats command by CLIENT name.. but I have a feeling that I can only do this IF statement AFTER the stats  command... because the is the stats command that allows me to group or join the TAG1 and TAG2 by CLIENT am I crazy? I have a feeling that it has to be after the stats command but if I use it after the stats command is there a way I can count the events again ? I have another questions.. in the current stats command that I have I have saved some variables within quotation marks because the have spaces between words such as "Number of Complaints" but if I am going to do some calculations with this variables I noticed that I can only that with variables that dont have spaces like "Sales" of course I have to remove the quotation marks... is like


if I have this:

| stats count(sales_hotel) as "Sales of 5 Guilt"



I cant do this

| eval g2= 3843-"Sales of 5 Guilt"

but if I had this

| stats count(sales_hotel) as Salesof5Guilt

then I can do this

| eval g2= 3843-Salesof5Guillt

is there anyway to do computation with the variables I saved in the formart "xxx xxx   xxx"

Thank you my dear @ITWhisperer  for sharing your knowledge and helping the poor souls here I love you so much

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK let's deal with the second question first, you can use the contents of a field where the name has spaces in by enclosing the name in single quotes, not double, e.g. 

| eval g2= 3843-'Sales of 5 Guilt'

Back to the main question, are you saying that TAG1 and TAG2 are in different events? Perhaps if you could share some sample anonymised events, it would help me to understand what you are working with.

cindygibbs_08
Communicator

Thank you @ITWhisperer  You solved my second question! thank you so much!!!!!!!

Gergarding the second question.... lets say that
 TAG1 comes from:

 

index="Hotel_stay"
| search code="TAG1" AND CLIENT=* AND review=*

 

 while TAG2 comes from 

 

index="Hotel_comp_pack_adult"
| search code="TAG2" AND CLIENT=*

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...