Splunk Search

Creating an If statement in Search with max() function inside

aracer
Engager

Here's what I have below. I'm trying to do unit conversion and the unit trails in the string (ex. 127 KiB). Any ideas as to why the statement won't work?

eval new_max_rx = if(rx_today = "*KiB", "max(rx_today)*0.000976562") | timechart new_max_rx, max(tx_today) | rename new_max_rx as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"

Tags (2)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

max() is not a standalone function in splunk. It is an aggregate function that is only valid in the context of a grouping calculation like stats, chart or timechart.

Therefore, you need to calculate it beforehand.

I believe what you want is eventstats, but there are some other syntax mistakes, so you need to show us the earlier portion of the search so we can straighten it all out for you.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

As @Daljeanis suggested, you'd need to add eventstats (with few other elements) to do that. Try this

...your base search
eval day=strftime(_time,"%m/%d/%Y") | eventstats max(rx_today) as max_rx_today by day
|eval new_max_rx = if(rx_today = "*KiB", "max_rx_today*0.000976562") | timechart max(new_max_rx) as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@somesoni2 -

Whenever someone formats a date...

...before grouping...

...without a format like "%Y-%m-%d" that will sort into the right order....

...puppies and kittens cry.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

max() is not a standalone function in splunk. It is an aggregate function that is only valid in the context of a grouping calculation like stats, chart or timechart.

Therefore, you need to calculate it beforehand.

I believe what you want is eventstats, but there are some other syntax mistakes, so you need to show us the earlier portion of the search so we can straighten it all out for you.

0 Karma

niketn
Legend

@DalJeanis, there is a possibility that there is an aggregate statistical function prior to the code snippet which is calculating max(rx_today) without renaming the same.

I see issue with the if condition for pattern match. Following eval with match() should do the needful and for using if condition else block should be used, for which I have used rx_today.

| eval new_max_rx = if(match(rx_today,"KiB"),'max(rx_today)'*0.000976562,rx_today)

PS: It is a good habit to rename/alias fields after aggregating functions for example | timechart max(rx_today) as max_rx_today, to ensure that special characters are not included in the field name and it is more meaningful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

aracer
Engager

Thank you @niketnilay - that solved my issue!

0 Karma

niketn
Legend

Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

aracer
Engager

Thank you for the speedy response! This is all there is to my search besides specifying the file I'm looking at.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you explain more about what max(rx_today) should capture in the eval? Is it max value of rx_today for that day?

0 Karma

aracer
Engager

Yes, it is the max value for that day

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...