Hi All, i am using IF function like
|eval xxx= if ( status =="1","A", if(status =="2","A", if(status =="3","A","0")
its working wherever i have single value in fields like
Example:-1
status output
1 A
2 A
3 A
or
Example:- 2
status output
1, 2 A
2, 3 A
1, 3 A
1,4,5,2 A
So in example 2, last values has 1 and 2 with 4 and 5,,, i want to output should be like A and 0 both.
thanks in advance
Is this the sort of thing you mean?
| eval xxx=mvfilter(status IN ("1","2","3"))
| eval yyy=mvfilter(status IN ("4","5"))
| eval zzz=mvappend(if(mvcount(xxx)>0,"A",null()),if(mvcount(yyy)>0,"0",null()))
@ITWhisperer not certainly , here i dont know about value 4 or 5,,, it is just like any other value except 1,2,3, it should give 0 values.
exact query is.. i want to see for any user how many use case got triggered in last 7 days. but i have a some critical use case list of 10 UC. suppose total are 200UC, i want to check if any incident occurred where for any user both use case combination got triggered within 7 days. (any one or more than one use case from 10 uc list ) + any use case from rest 190 UC.
example
user UC triggered in 7 days
A UC1, UC2, UC87, UC90 UC3
i have given
|eval valuex= if(UC== UC1,1, if(UC== UC2,1, if(UC== UC3,1, if...........if(uc10=="1","0")
user UC triggered in 7 days valuesx
A UC1, UC2, UC87, UC90 UC3 1( want it as 1,0)
so here is the problem,, i am getting valuesx as 1 while it should come 1,0 both as UC triggered having combination.
It might be easier if you go back a step - what events are you dealing with?
@ITWhisperer it's not about events...it's just about how splunk function works... It is just i have a value in field ..matching with my values..if yes. .show 1..else 0... Only problem is where field having both values (matched and unmatched) but it's showing only 1...i want 1and 0 both...
An if function either has a result if the criteria is true and a result if the criteria is false - this is a very common paradigm
What I am suggesting is that you might be able to get the result you want if you evaluate the usecase events separately before bringing them together for each user (or whatever criteria you have used).