Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help using IF function

saurav47
Loves-to-Learn Lots
‎05-12-2022 11:37 AM

Hi All, i am using IF function like 
|eval xxx= if ( status =="1","A", if(status =="2","A", if(status =="3","A","0")

its working wherever i have single value in fields like 

Example:-1

status  output

1             A

2            A

3            A

 

or 

 

Example:- 2

status     output

1, 2             A

2, 3             A

1, 3             A 

1,4,5,2       A

 

So in example 2, last values has 1 and 2 with 4 and 5,,, i want to output should be like A and 0 both.

thanks in advance

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2022 11:54 AM

Is this the sort of thing you mean?

| eval xxx=mvfilter(status IN ("1","2","3"))
| eval yyy=mvfilter(status IN ("4","5"))
| eval zzz=mvappend(if(mvcount(xxx)>0,"A",null()),if(mvcount(yyy)>0,"0",null()))
0 Karma
Reply

saurav47
Loves-to-Learn Lots
‎05-12-2022 12:15 PM

@ITWhisperer not certainly , here i dont know about value 4 or 5,,, it is just like any other value except 1,2,3, it should give 0 values. 

exact query is.. i want to see for any user how many use case got triggered in last 7 days. but i have a some critical use case list of 10 UC. suppose total are 200UC, i want to check if any incident occurred where for any user both use case combination got triggered within 7 days. (any one or more than one use case from 10 uc list ) + any use case from rest 190 UC.

example 

user               UC triggered in 7 days

A                     UC1, UC2, UC87, UC90 UC3

i have given 

|eval valuex= if(UC== UC1,1, if(UC== UC2,1, if(UC== UC3,1, if...........if(uc10=="1","0")

user               UC triggered in 7 days                          valuesx

A                     UC1, UC2, UC87, UC90 UC3                  1( want it as 1,0)

so here is the problem,, i am getting valuesx as 1 while it should come 1,0 both as UC triggered having combination.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2022 01:21 AM

It might be easier if you go back a step - what events are you dealing with?

0 Karma
Reply

saurav47
Loves-to-Learn Lots
‎05-13-2022 01:55 AM

@ITWhisperer it's not about events...it's just about how splunk function works... It is just i have a value in field ..matching with my values..if yes. .show 1..else 0... Only problem is where field having both values (matched and unmatched) but it's showing only 1...i want 1and 0 both...

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2022 02:02 AM

An if function either has a result if the criteria is true and a result if the criteria is false - this is a very common paradigm

What I am suggesting is that you might be able to get the result you want if you evaluate the usecase events separately before bringing them together for each user (or whatever criteria you have used).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...