Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Conditional Statements

MHibbin
Influencer
‎05-18-2012 07:08 AM

Hi Splunkbase,

I was wondering if someone would be able to assist with a problem that I am trying to get my head around, I am not able to get the desired results. Here is my problem...

Say I have some events, for example:

Device Location Result
a123   loc1     0  
b123   loc1     100
c123   loc1     0
----   ----     ------
a456   loc2     0
b456   loc2     0

I would like to group these devices by location, and then output a value dependant on the following condition... If for any device in a single location, the result is "100" then the output value for the whole location (new field) will be 100, or if all the devices in a single location have a result of "0" then I would like to output 0 to the new field.

So my expected results would be something like:

Location Result
loc1     100
loc2     0

Or something to that effect.

Any thoughts/suggestions.

Regards,

Matt

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎05-18-2012 09:06 PM

Your best bet is to use stats. Here you may want to use max() as an aggregator.

For example, append to your search:

| stats max(Result) as Result by Location

You can always use eval. For example, if you only care about Result being exactly 100:

| stats max(eval(if(Result==100, 100, 0))) as Result by Location

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎05-18-2012 09:06 PM

Your best bet is to use stats. Here you may want to use max() as an aggregator.

For example, append to your search:

| stats max(Result) as Result by Location

You can always use eval. For example, if you only care about Result being exactly 100:

| stats max(eval(if(Result==100, 100, 0))) as Result by Location
Reply
Solved! Jump to solution

MHibbin
Influencer
‎05-19-2012 04:05 AM

Ha! Always the simplest solution that I overlooked!

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...