Splunk Search

Creating an If statement in Search with max() function inside

aracer
Engager

Here's what I have below. I'm trying to do unit conversion and the unit trails in the string (ex. 127 KiB). Any ideas as to why the statement won't work?

eval new_max_rx = if(rx_today = "*KiB", "max(rx_today)*0.000976562") | timechart new_max_rx, max(tx_today) | rename new_max_rx as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"

Tags (2)
0 Karma
1 Solution

DalJeanis
Legend

max() is not a standalone function in splunk. It is an aggregate function that is only valid in the context of a grouping calculation like stats, chart or timechart.

Therefore, you need to calculate it beforehand.

I believe what you want is eventstats, but there are some other syntax mistakes, so you need to show us the earlier portion of the search so we can straighten it all out for you.

View solution in original post

0 Karma

somesoni2
Revered Legend

As @Daljeanis suggested, you'd need to add eventstats (with few other elements) to do that. Try this

...your base search
eval day=strftime(_time,"%m/%d/%Y") | eventstats max(rx_today) as max_rx_today by day
|eval new_max_rx = if(rx_today = "*KiB", "max_rx_today*0.000976562") | timechart max(new_max_rx) as "Received Data since 12:00 AM", max(tx_today) as "Transmitted Data since 12:00 AM"
0 Karma

DalJeanis
Legend

@somesoni2 -

Whenever someone formats a date...

...before grouping...

...without a format like "%Y-%m-%d" that will sort into the right order....

...puppies and kittens cry.

0 Karma

DalJeanis
Legend

max() is not a standalone function in splunk. It is an aggregate function that is only valid in the context of a grouping calculation like stats, chart or timechart.

Therefore, you need to calculate it beforehand.

I believe what you want is eventstats, but there are some other syntax mistakes, so you need to show us the earlier portion of the search so we can straighten it all out for you.

0 Karma

niketn
Legend

@DalJeanis, there is a possibility that there is an aggregate statistical function prior to the code snippet which is calculating max(rx_today) without renaming the same.

I see issue with the if condition for pattern match. Following eval with match() should do the needful and for using if condition else block should be used, for which I have used rx_today.

| eval new_max_rx = if(match(rx_today,"KiB"),'max(rx_today)'*0.000976562,rx_today)

PS: It is a good habit to rename/alias fields after aggregating functions for example | timechart max(rx_today) as max_rx_today, to ensure that special characters are not included in the field name and it is more meaningful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

aracer
Engager

Thank you @niketnilay - that solved my issue!

0 Karma

niketn
Legend

Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

aracer
Engager

Thank you for the speedy response! This is all there is to my search besides specifying the file I'm looking at.

0 Karma

somesoni2
Revered Legend

Could you explain more about what max(rx_today) should capture in the eval? Is it max value of rx_today for that day?

0 Karma

aracer
Engager

Yes, it is the max value for that day

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...