Solved: Creating an If statement in Search with max() func...

aracer · ‎07-27-2017

Here's what I have below. I'm trying to do unit conversion and the unit trails in the string (ex. 127 KiB). Any ideas as to why the statement won't work?

eval new_max_rx = if(rx_today = "*KiB", "max(rx_today)*0.000976562") | timechart new_max_rx, max(tx_today) | rename new_max_rx as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"

DalJeanis · ‎07-27-2017

max() is not a standalone function in splunk. It is an aggregate function that is only valid in the context of a grouping calculation like stats, chart or timechart.

Therefore, you need to calculate it beforehand.

I believe what you want is eventstats, but there are some other syntax mistakes, so you need to show us the earlier portion of the search so we can straighten it all out for you.

View solution in original post

somesoni2 · ‎07-27-2017

As @Daljeanis suggested, you'd need to add eventstats (with few other elements) to do that. Try this

...your base search
eval day=strftime(_time,"%m/%d/%Y") | eventstats max(rx_today) as max_rx_today by day
|eval new_max_rx = if(rx_today = "*KiB", "max_rx_today*0.000976562") | timechart max(new_max_rx) as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"

DalJeanis · ‎07-27-2017

@somesoni2 -

Whenever someone formats a date...

...before grouping...

...without a format like "%Y-%m-%d" that will sort into the right order....

...puppies and kittens cry.

DalJeanis · ‎07-27-2017

max() is not a standalone function in splunk. It is an aggregate function that is only valid in the context of a grouping calculation like stats, chart or timechart.

Therefore, you need to calculate it beforehand.

I believe what you want is eventstats, but there are some other syntax mistakes, so you need to show us the earlier portion of the search so we can straighten it all out for you.

niketn · ‎07-27-2017

@DalJeanis, there is a possibility that there is an aggregate statistical function prior to the code snippet which is calculating max(rx_today) without renaming the same.

I see issue with the if condition for pattern match. Following eval with match() should do the needful and for using if condition else block should be used, for which I have used rx_today.

| eval new_max_rx = if(match(rx_today,"KiB"),'max(rx_today)'*0.000976562,rx_today)

PS: It is a good habit to rename/alias fields after aggregating functions for example | timechart max(rx_today) as max_rx_today, to ensure that special characters are not included in the field name and it is more meaningful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

aracer · ‎07-27-2017

Thank you @niketnilay - that solved my issue!

niketn · ‎07-27-2017

Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

aracer · ‎07-27-2017

Thank you for the speedy response! This is all there is to my search besides specifying the file I'm looking at.

somesoni2 · ‎07-27-2017

Could you explain more about what max(rx_today) should capture in the eval? Is it max value of rx_today for that day?

aracer · ‎07-27-2017

Yes, it is the max value for that day

Creating an If statement in Search with max() function inside

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...