Splunk Search

Creating an If statement in Search with max() function inside

aracer
Engager

Here's what I have below. I'm trying to do unit conversion and the unit trails in the string (ex. 127 KiB). Any ideas as to why the statement won't work?

eval new_max_rx = if(rx_today = "*KiB", "max(rx_today)*0.000976562") | timechart new_max_rx, max(tx_today) | rename new_max_rx as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"

Tags (2)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

max() is not a standalone function in splunk. It is an aggregate function that is only valid in the context of a grouping calculation like stats, chart or timechart.

Therefore, you need to calculate it beforehand.

I believe what you want is eventstats, but there are some other syntax mistakes, so you need to show us the earlier portion of the search so we can straighten it all out for you.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

As @Daljeanis suggested, you'd need to add eventstats (with few other elements) to do that. Try this

...your base search
eval day=strftime(_time,"%m/%d/%Y") | eventstats max(rx_today) as max_rx_today by day
|eval new_max_rx = if(rx_today = "*KiB", "max_rx_today*0.000976562") | timechart max(new_max_rx) as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@somesoni2 -

Whenever someone formats a date...

...before grouping...

...without a format like "%Y-%m-%d" that will sort into the right order....

...puppies and kittens cry.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

max() is not a standalone function in splunk. It is an aggregate function that is only valid in the context of a grouping calculation like stats, chart or timechart.

Therefore, you need to calculate it beforehand.

I believe what you want is eventstats, but there are some other syntax mistakes, so you need to show us the earlier portion of the search so we can straighten it all out for you.

0 Karma

niketn
Legend

@DalJeanis, there is a possibility that there is an aggregate statistical function prior to the code snippet which is calculating max(rx_today) without renaming the same.

I see issue with the if condition for pattern match. Following eval with match() should do the needful and for using if condition else block should be used, for which I have used rx_today.

| eval new_max_rx = if(match(rx_today,"KiB"),'max(rx_today)'*0.000976562,rx_today)

PS: It is a good habit to rename/alias fields after aggregating functions for example | timechart max(rx_today) as max_rx_today, to ensure that special characters are not included in the field name and it is more meaningful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

aracer
Engager

Thank you @niketnilay - that solved my issue!

0 Karma

niketn
Legend

Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

aracer
Engager

Thank you for the speedy response! This is all there is to my search besides specifying the file I'm looking at.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you explain more about what max(rx_today) should capture in the eval? Is it max value of rx_today for that day?

0 Karma

aracer
Engager

Yes, it is the max value for that day

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...