Eval statement based of 1 field using If

codedtech · ‎07-13-2020

I have a bunch of storage clusters that we monitor, 60% of the envrioment uses normal GB, the other 40% uses GiB. I need to show all of the storage arrays in 1 report and normalize the storage to GB, and the only field that is different between the storage besides the array name is "storage vendor" . I need to create an If statement if vendor is like "X" run these evals
|eval _GB_TiB = (((Capacity_GB)*1.1)/1024)*0.909495
| eval "Prov(TiB)" = (((prov_GB)*1.1)/1024)*0.909495
| eval "Written(TiB)" = ((((writtedGB)*1.1)/1024)*0.909495)/2

richgalloway · ‎07-13-2020

How should Splunk distinguish those that use GB from those that use GiB?

---
If this reply helps you, Karma would be appreciated.

codedtech · ‎07-13-2020

I like to use an If or case statement ideally based of the vendor or storage array name.

something along the lines like this

query|eval if(vendor="vendor 1(then eval Capacity(TiB) = (((Capacity_GB)*1.1)/1024)*0.909495
| eval "provisioned (TiB)" = (((provisionedGB)*1.1)/1024)*0.909495
| eval "Written(TiB)" = ((((usedGB)*1.1)/1024)*0.909495)/2

richgalloway · ‎07-13-2020

Perhaps this will help

... | eval Capacity = if(vendor="foo" OR vendor="bar", exact((GB*1.1)/1024)*0.909495), GB)

---
If this reply helps you, Karma would be appreciated.

Eval statement based of 1 field using If

eval

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases

Are you a member of the Splunk Community?

Eval statement based of 1 field using If

eval

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases