Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Conditional Statements

MHibbin
Influencer
‎05-18-2012 07:08 AM

Hi Splunkbase,

I was wondering if someone would be able to assist with a problem that I am trying to get my head around, I am not able to get the desired results. Here is my problem...

Say I have some events, for example:

Device Location Result
a123   loc1     0  
b123   loc1     100
c123   loc1     0
----   ----     ------
a456   loc2     0
b456   loc2     0

I would like to group these devices by location, and then output a value dependant on the following condition... If for any device in a single location, the result is "100" then the output value for the whole location (new field) will be 100, or if all the devices in a single location have a result of "0" then I would like to output 0 to the new field.

So my expected results would be something like:

Location Result
loc1     100
loc2     0

Or something to that effect.

Any thoughts/suggestions.

Regards,

Matt

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎05-18-2012 09:06 PM

Your best bet is to use stats. Here you may want to use max() as an aggregator.

For example, append to your search:

| stats max(Result) as Result by Location

You can always use eval. For example, if you only care about Result being exactly 100:

| stats max(eval(if(Result==100, 100, 0))) as Result by Location

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎05-18-2012 09:06 PM

Your best bet is to use stats. Here you may want to use max() as an aggregator.

For example, append to your search:

| stats max(Result) as Result by Location

You can always use eval. For example, if you only care about Result being exactly 100:

| stats max(eval(if(Result==100, 100, 0))) as Result by Location
Reply
Solved! Jump to solution

MHibbin
Influencer
‎05-19-2012 04:05 AM

Ha! Always the simplest solution that I overlooked!

Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...