Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help using IF function

saurav47
Loves-to-Learn Lots
‎05-12-2022 11:37 AM

Hi All, i am using IF function like 
|eval xxx= if ( status =="1","A", if(status =="2","A", if(status =="3","A","0")

its working wherever i have single value in fields like 

Example:-1

status  output

1             A

2            A

3            A

 

or 

 

Example:- 2

status     output

1, 2             A

2, 3             A

1, 3             A 

1,4,5,2       A

 

So in example 2, last values has 1 and 2 with 4 and 5,,, i want to output should be like A and 0 both.

thanks in advance

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2022 11:54 AM

Is this the sort of thing you mean?

| eval xxx=mvfilter(status IN ("1","2","3"))
| eval yyy=mvfilter(status IN ("4","5"))
| eval zzz=mvappend(if(mvcount(xxx)>0,"A",null()),if(mvcount(yyy)>0,"0",null()))
0 Karma
Reply

saurav47
Loves-to-Learn Lots
‎05-12-2022 12:15 PM

@ITWhisperer not certainly , here i dont know about value 4 or 5,,, it is just like any other value except 1,2,3, it should give 0 values. 

exact query is.. i want to see for any user how many use case got triggered in last 7 days. but i have a some critical use case list of 10 UC. suppose total are 200UC, i want to check if any incident occurred where for any user both use case combination got triggered within 7 days. (any one or more than one use case from 10 uc list ) + any use case from rest 190 UC.

example 

user               UC triggered in 7 days

A                     UC1, UC2, UC87, UC90 UC3

i have given 

|eval valuex= if(UC== UC1,1, if(UC== UC2,1, if(UC== UC3,1, if...........if(uc10=="1","0")

user               UC triggered in 7 days                          valuesx

A                     UC1, UC2, UC87, UC90 UC3                  1( want it as 1,0)

so here is the problem,, i am getting valuesx as 1 while it should come 1,0 both as UC triggered having combination.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2022 01:21 AM

It might be easier if you go back a step - what events are you dealing with?

0 Karma
Reply

saurav47
Loves-to-Learn Lots
‎05-13-2022 01:55 AM

@ITWhisperer it's not about events...it's just about how splunk function works... It is just i have a value in field ..matching with my values..if yes. .show 1..else 0... Only problem is where field having both values (matched and unmatched) but it's showing only 1...i want 1and 0 both...

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2022 02:02 AM

An if function either has a result if the criteria is true and a result if the criteria is false - this is a very common paradigm

What I am suggesting is that you might be able to get the result you want if you evaluate the usecase events separately before bringing them together for each user (or whatever criteria you have used).

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...