Splunk Search

Conditional find and replace

willemjongeneel
Communicator

Hello,

I have a question on a conditional find and replace. I have a query that calculates a mean for the different hours on the different days. This query looks like this:

index=index1 adapter_name=ABSAdapter earliest=-90d
| timechart span="1h" sum(number_of_records) as aantal
| eval time=strftime(_time,"%w%H")
| eventstats mean(aantal) as meanAantal, stdev(aantal) as stdAantal by time
| where (aantal>(meanAantal + (stdAantal * -3)) AND aantal<(meanAantal + (stdAantal * 3)))
| stats mean(aantal) as threshold by time
| eventstats mean(threshold) as overalMean
| table threshold, time, overalMean

Now I also want to find and replace threshold values that are under a certain value to 0. The condition should be something like:

if(threshold < overalMean*0.20) --> threshold = 0
else --> threshold = threshold

Does anyone know how to do this?

Thanks in advance and kind regards,
Willem

Tags (2)
0 Karma
1 Solution

willemjongeneel
Communicator

I got this working just after I asked the question...

Solution: | eval threshold=case(threshold < overalMean*0.05, 0, threshold > overalMean*0.05, threshold)

View solution in original post

0 Karma

willemjongeneel
Communicator

I got this working just after I asked the question...

Solution: | eval threshold=case(threshold < overalMean*0.05, 0, threshold > overalMean*0.05, threshold)

0 Karma

willemjongeneel
Communicator

I got this working just after I asked the question...

Solution: | eval threshold=case(threshold < overalMean*0.05, 0, threshold > overalMean*0.05, threshold)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...