Solved: Eval field based on multiple fields?

matstap · ‎04-16-2018

I have three fields A, B, C. I want to evaluate a field D that has the value of C that corresponds with the min value of B when 0 < B < 4, and A=1. How do I evaluate D? Can I use an eval statement in stats?

Example: if I have the given records with the same ID field,

A=1,B=6,C=2
A=1,B=2,C=3
A=1,B=1,C=5,

Then D=5

elliotproebstel · ‎04-16-2018

Given your clarification, I think this should do it (assuming the ID field you mentioned is in a field called unique_id😞

your base search
| eventstats min(B) AS min_B BY unique_id
| eval D=if(B=min_B AND 0<B AND B<4 AND A=1, C, NULL)

View solution in original post

elliotproebstel · ‎04-16-2018

Given your clarification, I think this should do it (assuming the ID field you mentioned is in a field called unique_id😞

your base search
| eventstats min(B) AS min_B BY unique_id
| eval D=if(B=min_B AND 0<B AND B<4 AND A=1, C, NULL)

matstap · ‎04-17-2018

I forgot about eventstats. Thanks

elliotproebstel · ‎04-16-2018

I don't quite understand your description. It sounds like you want D=C if 0<B<4 and A=1. But this is true in both of the following lines:

A=1,B=2,C=3
A=1,B=1,C=5

So I don't understand how you've determined that D=5 and not D=3. Can you explain?

matstap · ‎04-16-2018

I meant to write the min value of B when 0 < B < 4.

Eval field based on multiple fields?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Eval field based on multiple fields?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits